net ipsec ipsec-policy
net ipsec ipsec-policy(1) BIG-IP TMSH Manual net ipsec ipsec-policy(1)
NAME
ipsec-policy - Configures the IPsec security policy.
MODULE
net ipsec
SYNTAX
Configure the ipsec-policy component within the net ipsec module using the syntax in the following sections.
CREATE/MODIFY
create ipsec-policy [name]
modify ipsec-policy [name]
options:
app-service [[string] | none]
description [string]
ike-phase2-auth-algorithm [aes-gcm128 | aes-gcm192 | aes-gcm256 | aes-gmac128 | aes-gmac192 | aes-gmac256 | sha1 | sha256 | sha384 | sha512]
ike-phase2-encrypt-algorithm [3des | aes128 | aes192 | aes256 | aes-gcm128 | aes-gcm192 | aes-gcm256 | aes-gmac128 | aes-gmac192 | aes-gmac256 | null]
ike-phase2-lifetime [integer]
ike-phase2-lifetime-kilobytes [integer]
ike-phase2-perfect-forward-secrecy [modp1024 | modp1536 | modp2048 | modp3072 | modp4096 | modp6144 | modp768 | modp8192]
ipcomp [deflate| none | null]
mode [transport | tunnel | interface]
protocol [esp]
tunnel-local-address [ip address]
tunnel-remote-address [ip address]
DISPLAY
list ipsec-policy
list ipsec-policy [ [ [name] | [glob] | [regex] ] ... ]
show running-config ipsec-policy
show running-config ipsec-policy [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
partition
DESCRIPTION
An ipsec-policy indicates the ipsec rule and action to be applied to the packets matched by the traffic-
selector associated with this ipsec-policy.
EXAMPLES
create ipsec ipsec-policy tunnel_policy_sjc_sea { description "ipsec policy for the sjc-sea ipsec tunnel" mode
tunnel tunnel-local-address 1.1.1.1 tunnel-remote-address 2.2.2.2 }
Creates the tunnel mode ipsec-policy tunnel_policy_sjc_sea.
delete ipsec ipsec-policy tunnel_policy_sjc_sea
Deletes the ipsec-policy tunnel_policy_sjc_sea.
OPTIONS
app-service
Specifies the name of the application service to which the object belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the object. Only the application service can modify or delete the object.
description
User defined description.
ike-phase2-auth-algorithm
Specifies a payload authentication algorithm for ESP. This attribute is only valid when IKE is used to
negotiate Security Associations. The possible options are: aes-gcm128, aes-gcm192, aes-gcm256,
aes-gmac128, aes-gmac192, aes-gmac256, sha256, sha384, sha512 and sha1. The default value is aes-gcm128.
Note: Because aes-gcm and aes-gmac are authenticated encryption algorithms, when
ike-phase2-auth-algorithm is set to aes-gcm or aes-gmac, ike-phase2-encrypt-algorithm has to be set to
the identical algorithm with the same key length. sha256, sha384, sha512 and sha1 can only be used with
an encryption algorithm that is NOT an authenticated encryption algorithm.
ike-phase2-encrypt-algorithm
Specifies an encryption algorithm for ESP. This attribute is only valid when IKE is used to negotiate
security associations. The default value is aes-gcm128.
Note: Because aes-gcm and aes-gmac are authenticated encryption algorithms, when
ike-phase2-encrypt-algorithm is set to one of these algorithms, ike-phase2-auth-algorithm has to be set
to the identical algorithm with the same key length.
ike-phase2-lifetime
Specifies the lifetime duration in minutes, for the dynamically-negotiated security associations (SA).
This attribute is only valid when IKE is used to negotiate security associations.
ike-phase2-lifetime-kilobytes
Specifies the lifetime duration in kilobytes, for the dynamically-negotiated security associations (SA).
This attribute is only valid when IKE is used to negotiate security associations. A value of '0' means
the SA will not re-key based on the number of bytes encrypted/decrypted. The minimum recommended value is
1000 kilobytes. This value is not negotiated between peers."
ike-phase2-perfect-forward-secrecy
Defines the group of Diffie-Hellman exponentiations. This attribute is only valid when IKE is used to
negotiate Security Associations. The value 'none' indicates that the PFS is disabled for phase2 SA
negotiations.
mode Specifies a security protocol mode for use. The options are:
transport
IPsec transport mode is used.
tunnel
IPsec tunnel mode is used.
interface
IPsec interface mode is used.
protocol
Specifies the IPsec protocol: Encapsulating Security Payload (ESP) or Authentication Header (AH).
ipcomp
Specifies the compression algorithm for IPComp. The following codec are available:
none Disable IPComp
deflate
Packets will be encapsulated with IPComp header and Deflate compression algorithm will be applied to
the data.
null Packets will be encapsulated with IPComp header but no compression algorithm will be applied to the
data.
tunnel-local-address
Specifies the IP address of the local IPsec tunnel endpoint. This option is only valid when mode is
tunnel. The format required for specifying a route domain ID in an IP address is A.B.C.D%ID. For
example, A.B.C.D%2, where the IP address A.B.C.D pertains to route domain 2.
tunnel-remote-address
Specifies the IP address of the remote IPsec tunnel endpoint. This option is only valid when mode is
tunnel. The format required for specifying a route domain ID in an IP address is A.B.C.D%ID. For
example, A.B.C.D%2, where the IP address A.B.C.D pertains to route domain 2.
SEE ALSO
list, net ipsec traffic-selector, net ipsec manual-security-association, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2013, 2016. All rights reserved.
BIG-IP 2020-01-06 net ipsec ipsec-policy(1)