Security policy

Use IPsec to create IPsec security policies that define the levels of security for different types of traffic. You can use IPsec security policies to create rules to filter traffic with IPsec. IPsec policies determine what IP traffic to secure. An IPsec security policy typically consists of:
  • An IP filter

  • Security algorithms for authentication and key exchange

  • An action

Creation of a security policy

You can configure IPsec on IPv4/IPv6 interfaces. First, create and configure an IPsec policy, and then add and enable the policy on an interface.

After you enable IPsec, the device encrypts all control traffic on the interface based on the policy. You have to specify individual policies to target a particular interface address or multiple addresses. By default, this implementation does not work on a subnet.

The Security Policy Database (SPD) maintains the IPsec security policies. The device checks every ingress or egress packet for the IPsec base protocol, either AH or ESP. The base protocol interacts with the security policy database (SPD) and security association database (SADB) to check the level of security to apply to that packet.

The IPsec feature only adds policies if the source address in the policy specified matches an interface IP address.

The IPsec feature restricts the policy match source address to the interface address of the router and destination IPv6 address.