Use the Security Policy Database (SPD) window to configure IPsec SPD entries for the SBC. The SPD entries establish the phase 2 criteria for negotiation between the SBC and an IKE peer. The successful completion of this negotiation results in a Security Association (SA).

To View SPD Entries

On the SBC main screen, navigate to All > Address Context > IPsec > SPDThe SPD window opens.

To Create an SPD Entry

To create a new SPD entry:

Use the drop-down box to select the desired Address Context for the SPD.

Click New SPD. The Create New SPD window opens.

The following fields are displayed:

Parameter

Length/Range

Description

Action

N/A

Action applied when packets processed by IPSEC found matching the selectors of this SPD rule.

  • Discard (default) – Specifies that the packets are dropped.
  • Bypass – Specifies that the packets are bypassed as clear text.
  • Protect – Specifies that the packets are protected by IPSEC based on the protection parameters specified in the configured IPsec Protection Profile.
Local IP AddrN/ASpecifies the local IPv4 or IPv6 address of the SPD traffic selector. Zero indicates wildcard.
Local IP Prefix Len0-128Specifies the local IP prefix length of the SPD traffic selector. Default value is 0.
Local Port0-65535Specifies the local port of the SPD traffic selector. Zero indicates wildcard. Default value is 0.
MediaN/A


Note

This feature applies to SBC 7000 only.


Enable this flag while configuring media SPD entries to identify media IPSec SAs. Whenever the media IPsec SPD administrative "state" is enabled, and if IPsec For Media is enabled on the Media IP Interface Group, the IkeProcess starts IKE negotiation with the IPsec peer, and IPsec SAs are established.

The Media flag is further passed down to IkeProcess and stored in the spd/selector data structures to identify media IPsec SAs. 

If media SPD states are enabled before IPsec For Media is enabled for Media LIF Group, then the IkeProcess starts IKE negotiation for all the Media SPD entries as soon as IPsec For Media is enabled on the corresponding LIF Group.

  • Disable (default)
  • Enable

Modified: for 10.1.2

Mode

N/A

Use this parameter to set the IPsec mode for the SPD.

  • Tunnel (default) – Use this mode to encrypt and authenticate the entire IP packet (both header and payload). This encrypted packet is encapsulated in a new packet containing a new IP header.
  • Transport – Use this mode to encrypt and authenticate the IP payload only.

Notes:

  • This parameter is only applicable when Action is set to Protect.
  • Transport mode is the recommended mode for LI configuration.
  • Tunnel mode is recommended for SIP peering. Although transport mode is also supported for SIP peering, the use of transport mode requires the SBC's SIP signaling port IP address to be the same as the SBC's IP interface IP address.

Name

1-23

Specifies the name of an IPsec Security Policy Database (SPD) entry. The IPsec SPD is an ordered list of entries ("rules") that specify sets of packets and determine whether or not to permit, deny, or protect packets between the SBC and the peer that is referenced from the entry. If the packets are to be protected, this entry references information that specifies how to protect them.

You may create and configure up to 4,096 SPD entries.

Precedence0-65535A unique precedence (evaluation order) for this SPD.
Protocol0-255Specifies the IP protocol number of the SPD traffic selector. This parameter uses IANA protocol number assignment, that is, protocol number 6 represents TCP, protocol number 17 represents UDP. Zero indicates wildcard. Default value is 0.
Remote IP AddrN/ASpecifies the remote IPv4 or IPv6 address of the SPD traffic selector. Zero indicates wildcard.
Remote IP Prefix Len0-128Specifies the remote IP prefix length of the SPD traffic selector. Default value is 0.
Remote Port0-65535Specifies the remote port of the SPD traffic selector. Zero indicates wildcard. Default value is 0.
StateN/AAdministrative state to disable or enable a SPD entry.  

Enter the required information in the fields and click Save to create a new SPD.

Restrictions on IPsec SPD configuration when used for IPsec media

Ensure that the following conditions are met:

  1. The local selector (Local IP Addr and Local IP Prefix Len) must encompass all possible local Media IPs, including the LIF Primary IP and all optional Alternate Media IPs. Also, it must not encompass any non-media IPs used by the SBC, such as the SIP Signaling IP address.

    Note

    The SIP Signaling Address must be different than the LIF Primary IP address (IP Address).

  2. The remote selector (Remote IP Addr and Remote IP Prefix Len) must encompass all possible Media IPs used by the remote SBC. Also, it must not encompass any non-media IPs used by the remote peer.
  3. The mode is set to Tunnel.
  4. The Media flag is enabled.
Note

One Security Policy Database (SPD) entry is created for each IPsec tunnel. It is possible to create multiple IPsec tunnels that use the same IP Interface Group. That is, one for signaling traffic and one for media traffic.

To Edit an SPD Entry

To edit an SPD entry:

  1. Click the radio button next to the specific SPD name. The Edit Selected SPD window opens.
  2. Make the required changes and click Save at the right hand bottom of the panel to save the changes made.

To Copy an SPD Entry

To copy an SPD entry:

  1. Click the radio button next to the specific SPD you want to copy.
  2. Click Copy SPD. The Copy Selected SPD window opens.
  3. Make any required changes to the fields and click Save to save the changes. 

To Delete an SPD Entry

To delete an SPD entry:

  1. Click the radio button next to the SPD which you want to delete.
  2. Click the Delete icon (X) at the end of the row. 
  3. Confirm the deletion when prompted.