net ipsec ipsec-policy
net ipsec ipsec-policy(1) BIG-IP TMSH Manual net ipsec ipsec-policy(1)
NAME
ipsec-policy - Configures the IPsec security policy.
MODULE
net ipsec
SYNTAX
Configure the ipsec-policy component within the net ipsec module using
the syntax in the following sections.
CREATE/MODIFY
create ipsec-policy [name]
modify ipsec-policy [name]
options:
app-service [[string] | none]
description [string]
ike-phase2-auth-algorithm [aes-gcm128 | aes-gcm192 | aes-gcm256 | aes-gmac128 | aes-gmac192 | aes-gmac256 | sha1 | sha256 | sha384 | sha512]
ike-phase2-encrypt-algorithm [3des | aes128 | aes192 | aes256 | aes-gcm128 | aes-gcm192 | aes-gcm256 | aes-gmac128 | aes-gmac192 | aes-gmac256 | null]
ike-phase2-lifetime [integer]
ike-phase2-lifetime-kilobytes [integer]
ike-phase2-perfect-forward-secrecy [modp1024 | modp1536 | modp2048 | modp3072 | modp4096 | modp6144 | modp768 | modp8192]
ipcomp [deflate| none | null]
mode [transport | tunnel | isession | interface]
protocol [esp]
tunnel-local-address [ip address]
tunnel-remote-address [ip address]
DISPLAY
list ipsec-policy
list ipsec-policy [ [ [name] | [glob] | [regex] ] ... ]
show running-config ipsec-policy
show running-config ipsec-policy [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
partition
DESCRIPTION
An ipsec-policy indicates the ipsec rule and action to be applied to
the packets matched by the traffic-selector associated with this ipsec-
policy.
EXAMPLES
create ipsec ipsec-policy tunnel_policy_sjc_sea { description "ipsec
policy for the sjc-sea ipsec tunnel" mode tunnel tunnel-local-address
1.1.1.1 tunnel-remote-address 2.2.2.2 }
Creates the tunnel mode ipsec-policy tunnel_policy_sjc_sea.
delete ipsec ipsec-policy tunnel_policy_sjc_sea
Deletes the ipsec-policy tunnel_policy_sjc_sea.
OPTIONS
app-service
Specifies the name of the application service to which the object
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the object. Only the application
service can modify or delete the object.
description
User defined description.
ike-phase2-auth-algorithm
Specifies a payload authentication algorithm for ESP. This
attribute is only valid when IKE is used to negotiate Security
Associations. The possible options are: aes-gcm128, aes-gcm192,
aes-gcm256, aes-gmac128, aes-gmac192, aes-gmac256, sha256, sha384,
sha512 and sha1. The default value is aes-gcm128.
Note: Because aes-gcm and aes-gmac are authenticated encryption
algorithms, when ike-phase2-auth-algorithm is set to aes-gcm or
aes-gmac, ike-phase2-encrypt-algorithm has to be set to the
identical algorithm with the same key length. sha256, sha384,
sha512 and sha1 can only be used with an encryption algorithm that
is NOT an authenticated encryption algorithm.
ike-phase2-encrypt-algorithm
Specifies an encryption algorithm for ESP. This attribute is only
valid when IKE is used to negotiate security associations. The
default value is aes-gcm128.
Note: Because aes-gcm and aes-gmac are authenticated encryption
algorithms, when ike-phase2-encrypt-algorithm is set to one of
these algorithms, ike-phase2-auth-algorithm has to be set to the
identical algorithm with the same key length.
ike-phase2-lifetime
Specifies the lifetime duration in minutes, for the dynamically-
negotiated security associations (SA). This attribute is only
valid when IKE is used to negotiate security associations.
ike-phase2-lifetime-kilobytes
Specifies the lifetime duration in kilobytes, for the dynamically-
negotiated security associations (SA). This attribute is only
valid when IKE is used to negotiate security associations. A value
of '0' means the SA will not re-key based on the number of bytes
encrypted/decrypted. The minimum recommended value is 1000
kilobytes. This value is not negotiated between peers."
ike-phase2-perfect-forward-secrecy
Defines the group of Diffie-Hellman exponentiations. This
attribute is only valid when IKE is used to negotiate Security
Associations. The value 'none' indicates that the PFS is disabled
for phase2 SA negotiations.
mode Specifies a security protocol mode for use. The options are:
transport
IPsec transport mode is used.
tunnel
IPsec tunnel mode is used.
isession
A special tunnel mode ipsec-policy that is only applicable on
wom, remote-endpoint, or local-endpoint.
interface
IPsec interface mode is used.
protocol
Specifies the IPsec protocol: Encapsulating Security Payload (ESP)
or Authentication Header (AH).
ipcomp
Specifies the compression algorithm for IPComp. The following
codec are available:
none Disable IPComp
deflate
Packets will be encapsulated with IPComp header and Deflate
compression algorithm will be applied to the data.
null Packets will be encapsulated with IPComp header but no
compression algorithm will be applied to the data.
tunnel-local-address
Specifies the IP address of the local IPsec tunnel endpoint. This
option is only valid when mode is tunnel. The format required for
specifying a route domain ID in an IP address is A.B.C.D%ID. For
example, A.B.C.D%2, where the IP address A.B.C.D pertains to route
domain 2.
tunnel-remote-address
Specifies the IP address of the remote IPsec tunnel endpoint. This
option is only valid when mode is tunnel. The format required for
specifying a route domain ID in an IP address is A.B.C.D%ID. For
example, A.B.C.D%2, where the IP address A.B.C.D pertains to route
domain 2.
SEE ALSO
list, net ipsec traffic-selector, net ipsec manual-security-
association, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2013, 2016. All rights
reserved.
BIG-IP 2017-03-10 net ipsec ipsec-policy(1)