In this section:
Use this object to configure IPsec Security Policy Database (SPD) for the SBC Core. If action
parameter is set to "protect", the SPD establishes the phase 2 criteria for the negotiation between SBC and the IKE peer. The successful completion of this negotiation results in a Security Association (SA).
Command Syntax
% set addressContext <addressContext name> ipsec spd <spd_name> action <bypass | discard | protect> localIpAddr <ipAddress> localIpPrefixLen <0-128> localPort <0-65535> mode <transport | tunnel> precedence <0-65535> protocol <0-255> remoteIpAddr <ipAddress> remoteIpPrefixLen <0-128> remotePort <0-65535> state <disabled | enabled>
Command Parameters
Restrictions on IPsec SPD configuration when used for IPsec media
Ensure that the following conditions are met:
The local selector (
localIpAddr
andlocalIpPrefixLen
) must encompass all possible local Media IPs, including the LIF Primary IP and all optional Alternate Media IPs. Also, it must not encompass any non-media IPs used by the SBC, such as the SIP Signaling IP address.NoteThe SIP Signaling Address must be different than the LIF Primary IP address (
ipAddress
).- The remote selector (
remoteIpAddr
andremoteIpPrefixLen
) must encompass all possible Media IPs used by the remote SBC. Also, it must not encompass any non-media IPs used by the remote peer. - The mode is set to
tunnel
. - The
media
flag is enabled.
One Security Policy Database (SPD) entry is created for each IPsec tunnel. It is possible to create multiple IPsec tunnels that use the same IP Interface Group. That is, one for signaling traffic and one for media traffic.
Command Examples
% set addressContext default ipsec spd SPD3 localIpAddr 10.16.230.2 localIpPrefixLen 32 remoteIpAddr 10.16.220.2 remoteIpPrefixLen 32 action protect protocol 17 state enabled precedence 102 % show addressContext default ipsec spd SPD3 { state enabled; precedence 102; localIpAddr 10.16.230.2; localIpPrefixLen 32; remoteIpAddr 10.16.220.2; remoteIpPrefixLen 32; protocol 17; action protect; }