Skip to main content

security ipsec policy create

Contributors
Suggest changes

Create an IPsec policy

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

This command creates a new IPsec policy. The traffic to be protected is specified by the traffic selectors (local-ip-subnets, remote-ip-subnets, local-ports, remote-ports, protocols). IPsec is not supported for the admin Vserver in a MetroCluster environment.

Parameters

-vserver <vserver name> - Vserver

Specifies the Vserver to which the policy will belong. If there is only a single Vserver capable of supporting IPsec, the Vserver parameter is implied.

-name <text> - Policy Name

This required parameter specifies the name of the policy which may be a text string (1-64 bytes), a hexadecimal string (beginning with '0x') or a base64 encoded binary string (beginning with '0s').

-local-ip-subnets <IP Address/Mask>,…​ - Local IP Subnets

This required parameter specifies the IPv4 or IPv6 subnet (address and mask, can be subnet or individual address) representing the local address (range) to be protected by this policy.

-remote-ip-subnets <IP Address/Mask>,…​ - Remote IP Subnets

This required parameter specifies the IPv4 or IPv6 subnet (address and mask, can be subnet or individual address) representing the remote address (range) to be protected by this policy.

[-local-ports {<Number>|<StartingNumber>-<EndingNumber>}] - Local Ports

This optional parameter specifies logical port associated with the local address to be protected by this policy. The port defaults to any port ('0-0' or '0') but a single port may be specified ('port number' or 'port number-port number').

[-remote-ports {<Number>|<StartingNumber>-<EndingNumber>}] - Remote Ports

This optional parameter specifies logical port associated with the remote address to be protected by this policy. The port defaults to any port ('0-0' or '0') but a single port may be specified ('port number' or 'port number-port number').

[-protocols {<Protocol Number>|<Protocol Name>}] - Protocols

This optional parameter specifies the protocol to be protected by by this policy. The protocol defaults to any protocol ('any' or '0') but a single protocol may be specified ('tcp', 'udp' or protocol number).

[-action <IPsec Action Type>] - Action

This optional parameter specifies the action to be performed when a packet meets the traffic selectors described by this policy. The possible values are 'ESP_TRA' (Apply ESP Transport Mode), 'ESP_UDP' (Apply ESP UDP Encapsulation), 'DISCARD' (discard matching traffic), or 'BYPASS' (send matching traffic in cleartext (not protected by IPsec)). NOTE: If the action is 'BYPASS' or 'DISCARD' and an authentication method is provided, it will be ignored. The default value is 'ESP_TRA'.

[-cipher-suite <Cipher Suite Type>] - Cipher Suite

This optional parameter specifies the suite of algorithms that will be used to protect the traffic. The possible values are:

SUITEB_GCM256: Suite-B-GCM-256 cipher suite as specified in RFC6379.

SUITEB_GMAC256: Suite-B-GMAC-256 cipher suite as specified in RFC6379.

SUITE_AESCBC: Suite consisting of AES256 CBC and SHA512 for ESP and AES256-SHA512-MODP4096 for IKE.

The default value is 'SUITEB_GCM256'.

[-ike-lifetime <integer>] - IKE Security Association Lifetime

This optional parameter specifies the lifetime of an IKE Security Association (in seconds). Shortly before the expiration of the IKE-lifetime, a new IKE security association will be created and the existing IKE security association (and child IPsec security associations) will be destroyed. The default value is 86400 seconds.

[-ipsec-lifetime <integer>] - IPsec Security Association Lifetime

This optional parameter specifies the lifetime of an IPsec Security Association (in seconds). Shortly before the expiration of the ipsec-lifetime, a new IPsec security association will be created and the existing IPsec security association will be destroyed. The default value is 28800 seconds.

[-ipsec-lifetime-bytes <integer>] - IPsec Security Association Lifetime (bytes)

This optional parameter specifies the byte lifetime of an IPsec Security Association. Shortly before the expiration of the ipsec-lifetime-bytes (ipsec-lifetime-bytes have been processed by the IPsec security association), a new IPsec security association will be created and the existing IPsec security association will be destroyed. The default value is 0, i.e infinity bytes.

[-is-enabled {true|false}] - Is Policy Enabled

This optional parameter specifies whether the IPsec policy is enabled or not. Any policy that is created is stored in a replicated database. The 'is-enabled' parameter determines if the policy will be included in those evaluated when determining the best-matched policy to match the traffic selectors of the packet. The default value is 'true'.

[-local-identity <text>] - Local Identity

This optional parameter specifies the local IKE endpoint's identity for authentication purpose. If this field is not explicitly specified, local-ip-subnet will assume the role for identity. If this field is set to "ANYTHING", then it will be translated to the strongSwan "%any" special identity.

[-remote-identity <text>] - Remote Identity

This optional parameter specifies the remote IKE endpoint's identity for authentication purpose. If this field is not explicitly specified, remote-ip-subnet will assume the role for identity. If this field is set to "ANYTHING", then it will be translated to the strongSwan "%any" special identity.

[-auth-method <IKE Authentication Method>] - Authentication Method

This optional parameter specifies the authentication method for an IPsec policy. The default value is 'PSK', the pre-shared key authentication method.

[-cert-name <text>] - Certificate for Local Identity

This parameter specifies the certificate name and is mandatory for an IPsec policy using the PKI authentication method. The certificate should have already been installed using security certificate install command.

Examples

This is an example of the creation of an IPsec policy that protects matching traffic, with all parameters specified. The preshared key can be string of length 18-128 bytes, a sequence hexadecimal digits beginning with 0x or a sequence of Base64 encoded binary data with 0s.

cluster-1::> security ipsec policy create -vserver vs_data1 -name Policy1 -local-ip-subnets 192.168.10.1/32 -remote-ip-subnets 192.168.20.1/32 -local-ports 4000 -remote-ports 5001 -protocols tcp -action ESP_TRA -shared-key This_is_a_shared_key_for_ipsec_policy -ike-version 2 -cipher-suite SUITEB_GCM256 -ike-lifetime 4000 -ipsec-lifetime 1800 -ipsec-lifetime-bytes 104880 -is-enabled true

Enter the preshared key for IPsec Policy "Policy1" on Vserver "vs_data1":
Re-enter the preshared key:

This is an example of the creation of an IPsec policy that protects matching traffic, with some parameters specified (others will be using the default values). PKI authentication method . is used. In this example, remote-identity does not matter, as long as a trusted certificate is provided.

cluster-1::> security ipsec policy create -vserver vs_data1 -name Policy2 -local-ip-subnets 192.168.10.1/32 -remote-ip-subnets 0.0.0.0/0 -local-ports 2049 -auth-method PKI -cert-name lifcert -local-identity "CN=lif1_certificate.netapp.com" -remote-identity ANYTHING

This is an example of the creation of an IPsec policy that discards matching traffic:

cluster-1::> security ipsec policy create -vserver vs_data1 -name DiscardTraffic -local-ip-subnets 192.168.10.1/32 -remote-ip-subnets 192.168.20.1/32 -action DISCARD