Manage IPsec rulesΒΆ

  • Define an IPsec rule:

    router{conf:myconfig-sec}ipsec-rule NAME LOCALZONE REMOTEZONE [vrf-id VRFID] PROTO IPSECPOLICY MODE VPNNAME [PRIORITY] [reqid (auto|REQID)]
    router{conf:myconfig-sec}ipsec-rule NAME LOCALZONE REMOTEZONE [vrf-id VRFID] PROTO OTHERPOLICY [PRIORITY] [reqid (auto|REQID)]
    

    The first part of the command is the traffic selector:

    NAME

    Name of the IPsec rule

    LOCALZONE

    Local zone of the traffic flow in the form of an IP address prefix. It must be set as an IPv4/IPv6 address or IPv4/IPv6 address prefix, and optionally a transport protocol port:

    • ADDRESS

    • ADDRESS/PREFIXLEN

    • ADDRESS[PORT]

    • ADDRESS/PREFIXLEN[PORT]

      (PREFIXLEN and PORT must be decimal numbers. The square bracket around port is really necessary. No name resolution is performed on addresses. The addresses must be specified in numeric form)

    REMOTEZONE

    Remote zone of the traffic flow. Format is the same as localzone.

    VRFID

    VR of the SP, part of the SP identifier (the VR for the clear traffic).

    PROTO

    Upper protocol carried by IP. It may be any, udp, tcp, icmp, icmp6 or a numeric protocol value. If icmp or icmp6 is used, the ICMP type value may also be specified, in square brackets (e.g. icmp[8]=*icmp echo request*, icmp6[1]=*destination unreachable*).

    REQID

    Associate a reqid for the AH / ESP transformation, auto means that a non-zero reqid value is assigned by the XMS (in the range <0x8000000-0xFFFFFFFF>), otherwise, it is a user-specified value <0-0x7FFFFFFF>.

    Caution

    ICMP type values are not supported by IKEv1. They are supported only by IKEv2 and static tunnels.

    The second part of the command is the action definition. If IPsec must be applied to the traffic flow, the first form of the command is used:

    IPSECPOLICY

    IPsec protocols that will be applied

    ah

    Requires the use of AH

    esp

    Requires the use of ESP

    MODE

    Mode of the IPsec protocol (tunnel or transport).

    VPNNAME

    Name of the VPN that this rule is linked to. The VPN will provide information about the IPsec gateways and the cryptographic material.

    If IPsec must not be applied to the traffic flow, the second form of the command is used:

    OTHERPOLICY

    The action that will be applied:

    clear

    Let the traffic flow pass in clear-text

    discard

    Discard packets of the traffic flow

  • Configure the IPsec rule to avoid rule overlaps:

    PRIORITY

    the priority of the rule. Smaller priorities are preferred rules.

    Caution

    • Do not let rules with the same priority overlap. Priority is used to avoid ambiguities.

    • Make sure you fully understand the use of transport mode. Even if an IPsec rule may specify localzone and remotezone as a subnet, IKE negotiation and IPsec are performed between the two endpoints located in each zone, not between two security gateways. The localzone must only contain addresses configured on Turbo IPsec. And the VPN definition must be configured accurately.

      For instance, in the following configuration, the rules 2000 and 2001 are not possible:

      ipsec-rule ZA ZB any esp transport VPNAB 2000

      ipsec-rule ZA ZB any esp transport VPNAB 2001

      ipsec-rule A B any esp transport VPNAB 2002

      vpn VPNAB cer-strong A B CANAME

      trust CANAME

  • Delete an IPsec rule:

    router{conf:myconfig}sec
    router{conf:myconfig-sec}delete ipsec-rule NAME
    
  • Delete all IPsec rules:

    router{conf:myconfig}sec
    router{conf:myconfig-sec}delete ipsec-rule all
    

Example

router{conf:myconfig-sec}ipsec-rule ZAZB 10.0.0.0/24 10.1.0.0/24 tcp ah tunnel vpn4
router{conf:myconfig-sec}ipsec-rule ABicmp 192.0.0.1 192.0.0.2 icmp clear 2009
router{conf:myconfig-sec}ipsec-rule AB 192.0.0.1 192.0.0.2 any ah transport vpn4 2010

When a tunnel applies to any traffic, the 0.0.0.0/0 or ::/0 notation is used.

  • Define a clear policy between a zone and the Internet:

    router{conf:myconfig-sec}ipsec-rule freeexit 10.0.0.0/24 0.0.0.0/0 any clear
    router{conf:myconfig-sec}delete ipsec-rule rule1
    

    Note

    When protecting traffic between two gateways by a static VPN, the same static SAs will be used for all IPsec rules attached to this VPN. When using a dynamic VPN, IKE will negotiate different SAs for each tunnel where traffic flows.