Skip to main content

Create an IPsec policy

Contributors

POST /security/ipsec/policies

Introduced In: 9.8

Creates an IPsec policy.

  • security ipsec policy create

Parameters

Name Type In Required Description

return_records

boolean

query

False

The default is false. If set to true, the records are returned.

  • Default value:

Request Body

Name Type Description

action

string

Action for the IPsec policy.

authentication_method

string

Authentication method for the IPsec policy.

certificate

certificate

Certificate for the IPsec policy.

enabled

boolean

Indicates whether or not the policy is enabled.

ipspace

ipspace

Applies to both SVM and cluster-scoped objects. Either the UUID or name may be supplied on input.

local_endpoint

local_endpoint

Local endpoint for the IPsec policy.

local_identity

string

Local Identity

name

string

IPsec policy name.

protocol

string

Lower layer protocol to be covered by the IPsec policy.

remote_endpoint

remote_endpoint

Remote endpoint for the IPsec policy.

remote_identity

string

Remote Identity

scope

string

Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster".

secret_key

string

Pre-shared key for IKE negotiation.

svm

svm

SVM, applies only to SVM-scoped objects.

uuid

string

Unique identifier of the IPsec policy.

Example request
{
  "action": "string",
  "authentication_method": "string",
  "certificate": {
    "_links": {
      "self": {
        "href": "/api/resourcelink"
      }
    },
    "name": "string",
    "uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
  },
  "ipspace": {
    "_links": {
      "self": {
        "href": "/api/resourcelink"
      }
    },
    "name": "Default",
    "uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
  },
  "local_endpoint": {
    "address": "10.10.10.7",
    "family": "string",
    "netmask": "24",
    "port": "23"
  },
  "local_identity": "string",
  "name": "string",
  "protocol": "17",
  "remote_endpoint": {
    "address": "10.10.10.7",
    "family": "string",
    "netmask": "24",
    "port": "23"
  },
  "remote_identity": "string",
  "scope": "string",
  "secret_key": "string",
  "svm": {
    "_links": {
      "self": {
        "href": "/api/resourcelink"
      }
    },
    "name": "svm1",
    "uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
  },
  "uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
}

Response

Status: 201, Created
Name Type Description

_links

_links

error

error

num_records

integer

Number of records

records

array[records]

Example response
{
  "_links": {
    "next": {
      "href": "/api/resourcelink"
    },
    "self": {
      "href": "/api/resourcelink"
    }
  },
  "error": {
    "arguments": [
      {
        "code": "string",
        "message": "string"
      }
    ],
    "code": "4",
    "message": "entry doesn't exist"
  },
  "num_records": 1,
  "records": [
    {
      "action": "string",
      "authentication_method": "string",
      "certificate": {
        "_links": {
          "self": {
            "href": "/api/resourcelink"
          }
        },
        "name": "string",
        "uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
      },
      "ipspace": {
        "_links": {
          "self": {
            "href": "/api/resourcelink"
          }
        },
        "name": "Default",
        "uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
      },
      "local_endpoint": {
        "address": "10.10.10.7",
        "family": "string",
        "netmask": "24",
        "port": "23"
      },
      "local_identity": "string",
      "name": "string",
      "protocol": "17",
      "remote_endpoint": {
        "address": "10.10.10.7",
        "family": "string",
        "netmask": "24",
        "port": "23"
      },
      "remote_identity": "string",
      "scope": "string",
      "secret_key": "string",
      "svm": {
        "_links": {
          "self": {
            "href": "/api/resourcelink"
          }
        },
        "name": "svm1",
        "uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
      },
      "uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
    }
  ]
}

Headers

Name Description Type

Location

Useful for tracking the resource location

string

Error

Status: Default

ONTAP Error Response Codes

Error Code Description

66257099

Only one protocol can be specified.

66257100

Only one local port can be specified.

66257101

Only one remote port can be specified.

66257102

Internet Key Exchange version 1 (IKEv1) is not supported.

66257104

IPsec policy with same name already exists in this SVM.

66257107

The specified pre-shared key is not a valid hexadecimal string.

66257109

The specified pre-shared key is not a valid Base64 encoded binary string.

66257110

Failed to a create policy sequencing value.

66257112

The IPsec policy with the action specified does not provide packet protection and the authentication method provided for the policy will be ignored.

66257113

Only one local IP subnet can be specified.

66257114

Only one remote IP subnet can be specified.

66257115

Port ranges containing more than one port are not supported.

66257117

IPsec is not supported on the SVM specified in the policy, IPsec is supported on data SVMs only.

66257120

The subnet selector must be a host address (An IPv4 address with a 32-bit netmask or an IPv6 address with a 128-bit netmask).

66257121

The maximum limit of IPsec policies has been reached for the specified SVM.

66257125

The local_endpoint.address must be specified with local_endpoint.netmask.

66257126

The remote_endpoint.address must be specified with remote_endpoint.netmask.

66257127

The local subnet must be configured as a non-zero subnet.

66257128

Invalid ANY wildcard subnet.

66257129

A specific local or remote port number is required when the remote subnet is configured as an ANY wildcard subnet.

66257130

The maximum limit of IPsec policies has been reached for the cluster.

66257131

ESP in UDPv6 Encapsulation is not supported.

66257132

Invalid value for port field. Value should be in range <0-65535>.

66257133

A pre-shared key is needed for the PSK authentication method. Use the secret_key option to specify a key.

66257134

An end-entity certificate is needed for the PKI authentication method. Use the certificate.uuid option to specify an end-entity certificate.

66257135

The specified certificate is not found on the SVM.

66257136

A certificate is not needed for the PSK authentication method.

66257137

A pre-shared key is not needed for the PKI authentication method.

66257138

Remote identity is required when using certificate verification.

66257139

Certificate with the specified UUID was not found.

66257140

Only certificates with a client or server type are supported.

66257142

Failed to create IPsec policy because the specified SVM is being migrated.

66257143

Invalid IPsec policy provided. The subnet must be non-empty.

66257144

The IPsec policy actions ESP TRANSPORT and ESP UDP each provide packet protection and requires a secret key or certificate for authentication.

66257148

The policy name does not meet required ASCII-range characters length.

66257199

Not all of the nodes in the cluster are running a version that supports the IPsec feature.

66257200

The shared key does not meet required ASCII-range characters length.

66257201

Support for the feature available with effective cluster version or later.

66257202

The specified SVM name is invalid.

66257203

The specified SVM UUID is invalid.

66257204

The specified IPspace UUID and IPspace name refer to different IPspaces.

66257205

The specified SVM must exist in the specified IPspace.

66257305

The certificate UUID does not match the provided certificate name.

66257396

IPsec is not supported for the admin SVM in a MetroCluster configuration.

Also see the table of common errors in the Response body overview section of this documentation.

Name Type Description

error

returned_error

Example error
{
  "error": {
    "arguments": [
      {
        "code": "string",
        "message": "string"
      }
    ],
    "code": "4",
    "message": "entry doesn't exist",
    "target": "uuid"
  }
}

Definitions

See Definitions

href

Name Type Description

href

string

Name Type Description

self

href

certificate

Certificate for the IPsec policy.

Name Type Description

_links

_links

name

string

Certificate name

uuid

string

Certificate UUID

ipspace

Applies to both SVM and cluster-scoped objects. Either the UUID or name may be supplied on input.

Name Type Description

_links

_links

name

string

IPspace name

uuid

string

IPspace UUID

local_endpoint

Local endpoint for the IPsec policy.

Name Type Description

address

string

IPv4 or IPv6 address

family

string

IPv4 or IPv6

netmask

string

Input as netmask length (16) or IPv4 mask (255.255.0.0). For IPv6, the default value is 64 with a valid range of 1 to 127. Output is always the netmask length.

port

string

Application port to be covered by the IPsec policy

remote_endpoint

Remote endpoint for the IPsec policy.

Name Type Description

address

string

IPv4 or IPv6 address

family

string

IPv4 or IPv6

netmask

string

Input as netmask length (16) or IPv4 mask (255.255.0.0). For IPv6, the default value is 64 with a valid range of 1 to 127. Output is always the netmask length.

port

string

Application port to be covered by the IPsec policy

svm

SVM, applies only to SVM-scoped objects.

Name Type Description

_links

_links

name

string

The name of the SVM. This field cannot be specified in a PATCH method.

uuid

string

The unique identifier of the SVM. This field cannot be specified in a PATCH method.

ipsec_policy

IPsec policy object.

Name Type Description

action

string

Action for the IPsec policy.

authentication_method

string

Authentication method for the IPsec policy.

certificate

certificate

Certificate for the IPsec policy.

enabled

boolean

Indicates whether or not the policy is enabled.

ipspace

ipspace

Applies to both SVM and cluster-scoped objects. Either the UUID or name may be supplied on input.

local_endpoint

local_endpoint

Local endpoint for the IPsec policy.

local_identity

string

Local Identity

name

string

IPsec policy name.

protocol

string

Lower layer protocol to be covered by the IPsec policy.

remote_endpoint

remote_endpoint

Remote endpoint for the IPsec policy.

remote_identity

string

Remote Identity

scope

string

Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster".