net ipsec ipsec-policy
net ipsec ipsec-policy(1) BIG-IP TMSH Manual net ipsec ipsec-policy(1)
NAME
ipsec-policy - Configures the IPsec security policy.
MODULE
net ipsec
SYNTAX
Configure the ipsec-policy component within the net ipsec module using the syntax in the following sections.
CREATE/MODIFY
create ipsec-policy [name]
modify ipsec-policy [name]
options:
app-service [[string] | none]
description [string]
ike-phase2-auth-algorithm [aes-gcm128 | aes-gcm192 | aes-gcm256 | aes-gmac128 | aes-gmac192 | aes-gmac256 | sha1 | sha256 | sha384 | sha512]
ike-phase2-encrypt-algorithm [3des | aes128 | aes192 | aes256 | aes-gcm128 | aes-gcm192 | aes-gcm256 | aes-gmac128 | aes-gmac192 | aes-gmac256 | null]
ike-phase2-lifetime [integer]
ike-phase2-lifetime-kilobytes [integer]
ike-phase2-perfect-forward-secrecy [modp1024 | modp1536 | modp2048 | modp3072 | modp4096 | modp6144 | modp768 | modp8192]
ipcomp [deflate| none | null]
mode [transport | tunnel | interface]
protocol [esp]
tunnel-local-address [ip address]
tunnel-remote-address [ip address]
DISPLAY
list ipsec-policy
list ipsec-policy [ [ [name] | [glob] | [regex] ] ... ]
show running-config ipsec-policy
show running-config ipsec-policy [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
partition
DESCRIPTION
An ipsec-policy indicates the ipsec rule and action to be applied to the packets matched by the traffic-selector associated
with this ipsec-policy.
EXAMPLES
create ipsec ipsec-policy tunnel_policy_sjc_sea { description "ipsec policy for the sjc-sea ipsec tunnel" mode tunnel
tunnel-local-address 1.1.1.1 tunnel-remote-address 2.2.2.2 }
Creates the tunnel mode ipsec-policy tunnel_policy_sjc_sea.
delete ipsec ipsec-policy tunnel_policy_sjc_sea
Deletes the ipsec-policy tunnel_policy_sjc_sea.
OPTIONS
app-service
Specifies the name of the application service to which the object belongs. The default value is none. Note: If the
strict-updates option is enabled on the application service that owns the object, you cannot modify or delete the
object. Only the application service can modify or delete the object.
description
User defined description.
ike-phase2-auth-algorithm
Specifies a payload authentication algorithm for ESP. This attribute is only valid when IKE is used to negotiate
Security Associations. The possible options are: aes-gcm128, aes-gcm192, aes-gcm256, aes-gmac128, aes-gmac192,
aes-gmac256, sha256, sha384, sha512 and sha1. The default value is aes-gcm128.
Note: Because aes-gcm and aes-gmac are authenticated encryption algorithms, when ike-phase2-auth-algorithm is set to
aes-gcm or aes-gmac, ike-phase2-encrypt-algorithm has to be set to the identical algorithm with the same key length.
sha256, sha384, sha512 and sha1 can only be used with an encryption algorithm that is NOT an authenticated encryption
algorithm.
ike-phase2-encrypt-algorithm
Specifies an encryption algorithm for ESP. This attribute is only valid when IKE is used to negotiate security
associations. The default value is aes-gcm128.
Note: Because aes-gcm and aes-gmac are authenticated encryption algorithms, when ike-phase2-encrypt-algorithm is set
to one of these algorithms, ike-phase2-auth-algorithm has to be set to the identical algorithm with the same key
length.
ike-phase2-lifetime
Specifies the lifetime duration in minutes, for the dynamically-negotiated security associations (SA). This attribute
is only valid when IKE is used to negotiate security associations.
ike-phase2-lifetime-kilobytes
Specifies the lifetime duration in kilobytes, for the dynamically-negotiated security associations (SA). This
attribute is only valid when IKE is used to negotiate security associations. A value of '0' means the SA will not re-
key based on the number of bytes encrypted/decrypted. The minimum recommended value is 1000 kilobytes. This value is
not negotiated between peers."
ike-phase2-perfect-forward-secrecy
Defines the group of Diffie-Hellman exponentiations. This attribute is only valid when IKE is used to negotiate
Security Associations. The value 'none' indicates that the PFS is disabled for phase2 SA negotiations.
mode Specifies a security protocol mode for use. The options are:
transport
IPsec transport mode is used.
tunnel
IPsec tunnel mode is used.
interface
IPsec interface mode is used.
protocol
Specifies the IPsec protocol: Encapsulating Security Payload (ESP) or Authentication Header (AH).
ipcomp
Specifies the compression algorithm for IPComp. The following codec are available:
none Disable IPComp
deflate
Packets will be encapsulated with IPComp header and Deflate compression algorithm will be applied to the data.
null Packets will be encapsulated with IPComp header but no compression algorithm will be applied to the data.
tunnel-local-address
Specifies the IP address of the local IPsec tunnel endpoint. This option is only valid when mode is tunnel. The
format required for specifying a route domain ID in an IP address is A.B.C.D%ID. For example, A.B.C.D%2, where the IP
address A.B.C.D pertains to route domain 2.
tunnel-remote-address
Specifies the IP address of the remote IPsec tunnel endpoint. This option is only valid when mode is tunnel. The
format required for specifying a route domain ID in an IP address is A.B.C.D%ID. For example, A.B.C.D%2, where the IP
address A.B.C.D pertains to route domain 2.
SEE ALSO
list, net ipsec traffic-selector, net ipsec manual-security-association, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2013, 2016. All rights reserved.
BIG-IP 2020-01-06 net ipsec ipsec-policy(1)