In this section:
Use this object to configure IPsec Security Policy Database (SPD) for the SBC Core. If action
parameter is set to "protect", the SPD establishes the phase 2 criteria for the negotiation between SBC and the IKE peer. The successful completion of this negotiation results in a Security Association (SA).
Command Syntax
% set addressContext <addressContext name> ipsec spd <spd_name> action <bypass | discard | protect> localIpAddr <ipAddress> localIpPrefixLen <0-128> localPort <0-65535> mode <transport | tunnel> precedence <0-65535> protocol <0-255> remoteIpAddr <ipAddress> remoteIpPrefixLen <0-128> remotePort <0-65535> state <disabled | enabled>
Command Parameters
IPsec SPD Parameters
Parameter | Length/Range | Description |
---|---|---|
| 1-23 | Specifies the name of an IPsec Security Policy Database (SPD) entry. The IPsec SPD is an ordered list of entries ("rules") that specify sets of packets and determine whether or not to permit, deny, or protect packets between the SBC and the peer that is referenced from the entry. If the packets are to be protected, this entry references information that specifies how to protect them. You can configure up to 4,096 SPD entries. |
| N/A | Action applied when packets processed by IPsec found matching the selectors of this SPD rule.
|
| IPv4/IPv6 address | Specifies the local IPv4 or IPv6 address of the SPD traffic selector. Default is 0.0.0.0. |
| 0-128 | Specifies the local IP prefix length of the SPD traffic selector. Default value is 0. Note: If IPsec Peer protocol is set to “IKEv2” or “ANY”, |
| 0-65535 | Specifies the local port of the SPD traffic selector. Zero indicates wildcard. Default value is 0. |
| N/A | Note
This feature applies to SBC 7000 only. Enable this flag while configuring media SPD entries to identify media IPSec SAs. Whenever media IPsec SPD administrative "state" is enabled, and if the The If media SPD states are enabled before
|
mode | N/A | Set the SPD mode type.
Notes:
|
| 0-65535 | A unique precedence (evaluation order) for this SPD. |
| 0-255 | Specifies the IP protocol number of the SPD traffic selector. This parameter uses IANA protocol number assignment, that is, protocol number 6 represents TCP, protocol number 17 represents UDP. Zero indicates wildcard. Default value is 0. |
| N/A | Specifies the remote IPv4 or IPv6 address of the SPD traffic selector. Default is 0.0.0.0 |
| 0-128 | Specifies the remote IP prefix length of the peer's SPD traffic selector. Zero indicates wildcard. Default value is 0. Note: If the IPsec Peer protocol is set to “IKEv2” or “ANY”, |
| 0-65535 | Specifies the remote port of the SPD traffic selector. Zero indicates wildcard. Default value is 0. |
| N/A | Administrative state of this SPD entry.
|
Restrictions on IPsec SPD configuration when used for IPsec media
Ensure that the following conditions are met:
The local selector (
localIpAddr
andlocalIpPrefixLen
) must encompass all possible local Media IPs, including the LIF Primary IP and all optional Alternate Media IPs. Also, it must not encompass any non-media IPs used by the SBC, such as the SIP Signaling IP address.NoteThe SIP Signaling Address must be different than the LIF Primary IP address (
ipAddress
).- The remote selector (
remoteIpAddr
andremoteIpPrefixLen
) must encompass all possible Media IPs used by the remote SBC. Also, it must not encompass any non-media IPs used by the remote peer. - The mode is set to
tunnel
. - The
media
flag is enabled.
One Security Policy Database (SPD) entry is created for each IPsec tunnel. It is possible to create multiple IPsec tunnels that use the same IP Interface Group. That is, one for signaling traffic and one for media traffic.
Command Examples
% set addressContext default ipsec spd SPD3 localIpAddr 10.16.230.2 localIpPrefixLen 32 remoteIpAddr 10.16.220.2 remoteIpPrefixLen 32 action protect protocol 17 state enabled precedence 102 % show addressContext default ipsec spd SPD3 { state enabled; precedence 102; localIpAddr 10.16.230.2; localIpPrefixLen 32; remoteIpAddr 10.16.220.2; remoteIpPrefixLen 32; protocol 17; action protect; }