Skip to main content
A newer release of this product is available.

security ipsec policy modify

Contributors
Suggest changes

Modify an IPsec policy

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

This command modifies an existing IPsec policy. You cannot modify the name or vserver of a policy. Moving a policy from one Vserver to another or renaming a policy requires that the existing policy be deleted and then a new policy created in the desired Vserver with the desired name.

It is highly recommended that the user set the field -is-enabled to false prior to making any other modifications to the policy. This will disable the policy and allow all existing IPsec and IKE Security Associations associated with policy to get flushed. Then, the user can modify the policy with the desired changes, along with setting the -is-enabled field to true to re-enable the policy.

Parameters

-vserver <vserver name> - Vserver

Specifies the Vserver to which the policy belongs. If there is only a single Vserver capable of supporting IPsec, the Vserver parameter is implied.

-name <text> - Policy Name

This required parameter specifies the name of the policy which may be a text string (1-64 bytes), a hexadecimal string (begining with '0x') or a base64 encoded binary string (beginning with '0s').

[-local-ip-subnets <IP Address/Mask>,…​] - Local IP Subnets

This parameter specifies the IPv4 or IPv6 subnet (address and mask, can be subnet or individual address) representing the local address (range) to be protected by this policy.

[-remote-ip-subnets <IP Address/Mask>,…​] - Remote IP Subnets

This parameter specifies the IPv4 or IPv6 subnet (address and mask, can be subnet or individual address) representing the remote address (range) to be protected by this policy.

[-local-ports {<Number>|<StartingNumber>-<EndingNumber>}] - Local Ports

This parameter specifies the logical port associated with the local address to be protected by this policy. The value may be specified by 'port number' or 'port number-port number'.

[-remote-ports {<Number>|<StartingNumber>-<EndingNumber>}] - Remote Ports

This parameter specifies the logical port associated with the remote address to be protected by this policy. The value may be specified by 'port number' or 'port number-port number'.

[-protocols {<Protocol Number>|<Protocol Name>}] - Protocols

This parameter specifies the protocol to be protected by this policy. The protocol may be specified as 'tcp', 'udp' or protocol number.

[-cipher-suite <Cipher Suite Type>] - Cipher Suite

This parameter specifies the suite of algorithms that will be used to protect the traffic. The possible values are:

SUITEB_GCM256: Suite-B-GCM-256 cipher suite as specified in RFC6379.

SUITEB_GMAC256: Suite-B-GMAC-256 cipher suite as specified in RFC6379.

SUITE_AESCBC: Suite consisting of AES256 CBC and SHA512 for ESP and AES256-SHA512-MODP4096 for IKE.

The default value is 'SUITEB_GCM256'.

[-ike-lifetime <integer>] - IKE Security Association Lifetime

This parameter specifies the lifetime of an IKE Security Association (in seconds). Shortly before the expiration of the IKE-lifetime, a new IKE security association will be created and the existing IKE security association (and child IPsec security associations) will be destroyed.

[-ipsec-lifetime <integer>] - IPsec Security Association Lifetime

This parameter specifies the lifetime of an IPsec Security Association (in seconds). Shortly before the expiration of the ipsec-lifetime, a new IPsec security association will be created and the existing IPsec security association will be destroyed.

[-ipsec-lifetime-bytes <integer>] - IPsec Security Association Lifetime (bytes)

This parameter specifies the byte lifetime of an IPsec Security Association. Shortly before the expiration of the ipsec-lifetime-bytes (ipsec-lifetime-bytes have been processed by the IPsec security association), a new IPsec security association will be created and the existing IPsec security association will be destroyed.

[-is-enabled {true|false}] - Is Policy Enabled

This parameter specifies the whether the IPsec policy is enabled or not. Any policy which is created is stored in a replicated database. The 'is-enabled' parameter determines if the policy will be included in those evaluated when determining the best-matched policy to match the traffic selectors of the packet. The default value is 'true'.

[-local-identity <text>] - Local Identity

This optional parameter specifies the local IKE endpoint's identity for authentication purpose. If this field is not explicitly specified, local-ip-subnet will assume the role for identity. If this field is set to "ANYTHING", then it will be translated to the strongSwan "%any" special identity.

[-remote-identity <text>] - Remote Identity

This optional parameter specifies the remote IKE endpoint's identity for authentication purpose. If this field is not explicitly specified, remote-ip-subnet will assume the role for identity. If this field is set to "ANYTHING", then it will be translated to the strongSwan "%any" special identity.

[-cert-name <text>] - Certificate for Local Identity

This optional parameter specifies the certificate name for an IPsec policy using PKI authentication method.

Examples

The following example modifies the local-ip-subnets value of an IPsec policy:

cluster-1::> security ipsec policy modify -vserver vs_data1 -name Policy1  -local-ip-subnets 192.168.30.2/32