1. ACLI Reference Guide
  2. ACLI Configuration Elements A-M
  3. ipsec > security-policy

ipsec > security-policy

This configuration element defines multiple policy instances with each policy defining match criteria and an operational action performed on matching traffic flows.

Parameters

name
Enter a unique identifier for this security-policy instance.
  • Default: none
  • Value: A valid configuration element name that is unique within the security-policy namespace.
network-interface
Enter the unique name of the network-interface supported by this security-policy instance.
Identify the network interface by providing the interface name and VLAN ID separated by a colon; for example access:10.
  • Default: None
  • Values: Name and VLAN ID of an existing network-interface configuration element.
priority
Set the priority of this security-policy instance, where 0 is the highest priority.
  • Highest priority: 0
  • Lowest priority: 3071
local-ip-addr-match
Enter an IPv4 or IPv6 address; in conjunction with local-ip-mask and local-port-match, this parameter specifies address-based matching criteria for inbound traffic.

Note:

Specifically, local-ip-addr-match works with local-ip-mask to define a range of inbound IP address subject t this security-policy instance. Using default values for both properties, the security-policy instance matches all applicable addresses.
  • Default: 0.0.0.0
  • Values: A valid IPv4 or IPv6 address; the special address value, 0.0.0.0 matches all IPv4 addresses.
remote-ip-addr-match
Enter an IPv4 or IPv6 address; in conjunction with remote-ip-mask and remote-port-match specifies address-based matching criteria for outbound traffic.

Note:

Specifically, remote-ip-addr-match works with remote-ip-mask to define a range of outbound IP addresses subject to this security-policy instance. Using default values for both properties, the security-policy instance matches all applicable addresses.
  • Default: 0.0.0.0
  • Values: A valid IPV4 or IPv6 address; the special address value, 0.0.0.0 matches all IPv4 addresses.
local-port-match
Enter a port number, or the special value 0; in conjunction with local-ip-addr-match and local-ip-mask, the parameter specifies address-based matching criteria for inbound traffic.
The default value disables port-based matching, meaning port numbers are ignored in the default state.
  • Default: 0 (disables port-based matching)
  • Values: Min: 0 / Max: 65535
local-port-match-max
Enter a port number that specifies the maximum value for the local port to which the IPsec Security applies.
  • Default: 65535
  • Values: Min: 0 / Max: 65535
remote-port-match
Enter a port number, or the special value 0; in conjunction with remote-ip-addr-match and remote-ip-mask, this parameter specifies address-based matching criteria for outbound traffic.
The default value disables port-based matching, meaning port numbers are ignored in the default state.
  • Default: 0 (disables port-based matching)
  • Values: Min: 0 / Max: 65535
remote-port-match-max
Enter a port number that specifies the maximum value for the remote port to which the IPsec Security applies.
  • Default: 65535
  • Values: Min: 0 / Max: 65535
trans-protocol-match
Select a specified protocol or the special value all that specifies transport-protocol-based matching criteria for inbound and outbound traffic.
The default value all matches all supported transport layer protocols
  • Default: all
  • Values: all | ICMP | SCTP | TCP | UDP
direction
Select an indicator of the directionality of this security-policy instance.
  • Default: both
  • Values: both - the policy applies to all traffic. | in - the policy applies only to inbound traffic. | out - the policy applies only to outbound traffic.
local-ip-mask
Enter am IPv4 address; in conjunction with local-ipaddr-match and local-port-match, this parameter specifies address-based matching criteria for inbound traffic.
Specifically, local-ip-addr-match works with local-ip-mask to define a range of inbound IP addresses subject to this security-policy instance matches all IPv4 addresses.
  • Default: 255.255.255.255
  • Values: A dotted decimal IP address mask.
remote-ip-mask
Enter an IPv4 address; in conjunction with remote-ip-addr-match and remote-port-match, this parameter specifies address-based matching criteria for outbound traffic.
Specifically, remote-ipaddr-match works with remote-ip-mask to define a range of out IP addresses subject to this security-policy instance matches all IPv4 addresses.
  • Default: 255.255.255.255
  • Values: A valid IPv4 address mask
action
Select the process of trafficking that conforms to the match criteria specified by this security-policy instance.
  • Default: ipsec
  • Values: allow-forwards matching traffic but performs no security processing. | discard-discards matching traffic | ipsec-processes matching traffic per configured IPsec properties.

    Note:

    srtp is not a supported value
outbound-sa-fine-grained-mask
not used for IKE operation.
ike-sainfo-name
Enter the name of the ike-sainfo configuration element assigned to this security-policy instance.
  • Default: None
  • Values: A valid configuration element name that is unique within the ike-sainfo namespace.

Note:

The ike-sainfo configuration element identifies the algorithms and protocols available for the establishment if IP sec Security Associations (SA).
pre-fragmentation
Select, when the value of action is ipsec, whether to enable IPSec packet fragmentation before encryption. When enabled, the MSG fragments outbound jumbo packets before they can be transmitted and then encrypts the fragments so that each transmitted encrypted fragment packet has a valid Encapsulating Security Payload (ESP) header.
  • Default: disabled
  • Values: disabled | enabled

Path

security-policy is a subelement of the ipsec path. The full path from the topmost ACLI prompt is: configure terminal > security> ipsec>security-policy.