Manage IPsec rulesΒΆ

  • Define an IPsec rule:

    router{conf:myconfig-sec}ipsec-rule NAME LOCALZONE REMOTEZONE [vrf-id VRFID] PROTO IPSECPOLICY MODE VPNNAME [PRIORITY] [reqid (auto|REQID)]
    router{conf:myconfig-sec}ipsec-rule NAME LOCALZONE REMOTEZONE [vrf-id VRFID] PROTO OTHERPOLICY [PRIORITY] [reqid (auto|REQID)]

    The first part of the command is the traffic selector:


    Name of the IPsec rule


    Local zone of the traffic flow in the form of an IP address prefix. It must be set as an IPv4/IPv6 address or IPv4/IPv6 address prefix, and optionally a transport protocol port:





      (PREFIXLEN and PORT must be decimal numbers. The square bracket around port is really necessary. No name resolution is performed on addresses. The addresses must be specified in numeric form)


    Remote zone of the traffic flow. Format is the same as localzone.


    VR of the SP, part of the SP identifier (the VR for the clear traffic).


    Upper protocol carried by IP. It may be any, udp, tcp, icmp, icmp6 or a numeric protocol value. If icmp or icmp6 is used, the ICMP type value may also be specified, in square brackets (e.g. icmp[8]=*icmp echo request*, icmp6[1]=*destination unreachable*).


    Associate a reqid for the AH / ESP transformation, auto means that a non-zero reqid value is assigned by the XMS (in the range <0x8000000-0xFFFFFFFF>), otherwise, it is a user-specified value <0-0x7FFFFFFF>.


    ICMP type values are not supported by IKEv1. They are supported only by IKEv2 and static tunnels.

    The second part of the command is the action definition. If IPsec must be applied to the traffic flow, the first form of the command is used:


    IPsec protocols that will be applied


    Requires the use of AH


    Requires the use of ESP


    Mode of the IPsec protocol (tunnel or transport).


    Name of the VPN that this rule is linked to. The VPN will provide information about the IPsec gateways and the cryptographic material.

    If IPsec must not be applied to the traffic flow, the second form of the command is used:


    The action that will be applied:


    Let the traffic flow pass in clear-text


    Discard packets of the traffic flow

  • Configure the IPsec rule to avoid rule overlaps:


    the priority of the rule. Smaller priorities are preferred rules.


    • Do not let rules with the same priority overlap. Priority is used to avoid ambiguities.

    • Make sure you fully understand the use of transport mode. Even if an IPsec rule may specify localzone and remotezone as a subnet, IKE negotiation and IPsec are performed between the two endpoints located in each zone, not between two security gateways. The localzone must only contain addresses configured on Turbo IPsec. And the VPN definition must be configured accurately.

      For instance, in the following configuration, the rules 2000 and 2001 are not possible:

      ipsec-rule ZA ZB any esp transport VPNAB 2000

      ipsec-rule ZA ZB any esp transport VPNAB 2001

      ipsec-rule A B any esp transport VPNAB 2002

      vpn VPNAB cer-strong A B CANAME

      trust CANAME

  • Delete an IPsec rule:

    router{conf:myconfig-sec}delete ipsec-rule NAME
  • Delete all IPsec rules:

    router{conf:myconfig-sec}delete ipsec-rule all


router{conf:myconfig-sec}ipsec-rule ZAZB tcp ah tunnel vpn4
router{conf:myconfig-sec}ipsec-rule ABicmp icmp clear 2009
router{conf:myconfig-sec}ipsec-rule AB any ah transport vpn4 2010

When a tunnel applies to any traffic, the or ::/0 notation is used.

  • Define a clear policy between a zone and the Internet:

    router{conf:myconfig-sec}ipsec-rule freeexit any clear
    router{conf:myconfig-sec}delete ipsec-rule rule1


    When protecting traffic between two gateways by a static VPN, the same static SAs will be used for all IPsec rules attached to this VPN. When using a dynamic VPN, IKE will negotiate different SAs for each tunnel where traffic flows.