Versions Compared

Old Version 5

changes.mady.by.user Ribbon Communications

Saved on

compared with

New Version Current

changes.mady.by.user Ribbon Communications

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Add_workflow_for_techpubs
AUTH2UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cd5909df, userName='null'}
AUTH1UserResourceIdentifier{userKey=8a00a0c86820e56901685f374974002d, userName='null'}
JIRAIDAUTH SBX-115122
REV5UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cb8305e9, userName='null'}
REV6UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cb8305e9, userName='null'}
REV3UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cc650806, userName='null'}
REV1UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26c7f4007d, userName='null'}


Panel

In this section:

Table of Contents


Info
iconfalse

Related articles:



Use this object to configure IPsec Security Policy Database (SPD) for the

Spacevars
0series4
. If action parameter is set to "protect", the SPD establishes the phase 2 criteria for the negotiation between
Spacevars
0product
 and the IKE peer. The successful completion of this negotiation results in a Security Association (SA).

Command Syntax

Code Block
languagenone
% set addressContext <addressContext name> ipsec spd <spd_name> 
	action <bypass | discard | protect> 
	localIpAddr <ipAddress> 
	localIpPrefixLen <0-128> 
	localPort <0-65535>
	media <disable | enable>
	mode <transport | tunnel>
	precedence <0-65535> 
	protocol <0-255> 
	remoteIpAddr <ipAddress> 
	remoteIpPrefixLen <0-128> 
	remotePort <0-65535> 
	state <disabled | enabled>

Command Parameters

Caption
0Table
1IPsec SPD Parameters
3IPsec SPD Parameters


Parameter

Length/Range

Description

spd

1-23

Specifies the name of an IPsec Security Policy Database (SPD) entry. The IPsec SPD is an ordered list of entries ("rules") that specify sets of packets and determine whether or not to permit, deny, or protect packets between the 

Spacevars
0product
and the peer that is referenced from the entry. If the packets are to be protected, this entry references information that specifies how to protect them.

You can configure up to 4,096 SPD entries.

action

N/A

Action applied when packets processed by IPsec found matching the selectors of this SPD rule.

  • discard (default) – Specifies that the packets are dropped.
  • bypass – Specifies that the packets are bypassed as clear text.
  • protect – Specifies that the packets are protected by IPsec based on the protection parameters specified in the configured IPsec protection profile.

localIpAddr

IPv4/IPv6 address

Specifies the local IPv4 or IPv6 address of the SPD traffic selector. Default is 0.0.0.0.

localIpPrefixLen

0-128

Specifies the local IP prefix length of the SPD traffic selector. Default value is 0.

Note: If IPsec Peer protocol is set to “IKEv2” or “ANY”, localIpPrefixLen must be set to "32" for IPv4 and "128" for IPv6 because the

Spacevars
0product
does not support range-based parameters for IKEv2 selectors.

localPort

0-65535

Specifies the local port of the SPD traffic selector. Zero indicates wildcard. Default value is 0.

mediaN/A

Include Page
_Media_over_IPsec_SBC7000_only
_Media_over_IPsec_SBC7000_only

Enable this flag while configuring media SPD entries to identify media IPSec SAs. Whenever media IPsec SPD administrative "state" is enabled, and if the ipsecForMedia state is enabled on the media ipInterfaceGroup, The IkeProcess starts an IKE negotiation with the IPsec peer and IPsec SAs are established.

The media flag is further passed down to IkeProcess and stored in spd/selector data structures to identify media IPsec SAs. 

If media SPD states are enabled before ipsecForMedia state is enabled for media LIFGroup, the IkeProcess starts an IKE negotiation for all media SPD entries as soon as the ipsecForMedia state is enabled on the corresponding LIFGroup.

  • disable (default)
  • enable
Available_since
TypeAvailable Since
Release10.1.2
modeN/A

Set the SPD mode type.

  • transport – Use this mode to encrypt and authenticate the IP payload only. 
  • tunnel (default) – Use this mode to encrypt and authenticate the entire IP packet (both header and payload). This encrypted packet is encapsulated in a new packet containing a new IP header.

Notes:

  • This parameter is only applicable when action is set to "protect."
  • Transport mode is the recommended mode for LI configuration.
  • Tunnel mode is recommended for SIP peering. Although transport mode is also supported for SIP peering, the use of transport mode requires the SBC's SIP signaling port IP address to be the same as the SBC's IP interface IP address.

precedence

0-65535

A unique precedence (evaluation order) for this SPD.

protocol

0-255

Specifies the IP protocol number of the SPD traffic selector. This parameter uses IANA protocol number assignment, that is, protocol number 6 represents TCP, protocol number 17 represents UDP. Zero indicates wildcard. Default value is 0.

remoteIpAddr

N/A

Specifies the remote IPv4 or IPv6 address of the SPD traffic selector. Default is 0.0.0.0

remoteIpPrefixLen

0-128

Specifies the remote IP prefix length of the peer's SPD traffic selector. Zero indicates wildcard. Default value is 0.

Note: If the IPsec Peer protocol is set to “IKEv2” or “ANY”, remoteIpPrefixLen must be set to "32" for IPv4 and "128" for IPv6 because the

Spacevars
0product
does not support range-based parameters for IKEv2 selectors.

remotePort

0-65535

Specifies the remote port of the SPD traffic selector. Zero indicates wildcard. Default value is 0.

state

N/A

Administrative state of this SPD entry.

  • disabled (default)
  • enabled


Restrictions on IPsec SPD configuration when used for IPsec media

Ensure that the following conditions are met:

  1. The local selector (localIpAddr and localIpPrefixLen) must encompass all possible local Media IPs, including the LIF Primary IP and all optional Alternate Media IPs. Also, it must not encompass any non-media IPs used by the SBC, such as the SIP Signaling IP address.

    Info
    titleNote

    The SIP Signaling Address must be different than the LIF Primary IP address (ipAddress).


  2. The remote selector (remoteIpAddr and remoteIpPrefixLen) must encompass all possible Media IPs used by the remote SBC. Also, it must not encompass any non-media IPs used by the remote peer.
  3. The mode is set to tunnel.
  4. The media flag is enabled.

Info
titleNote

One Security Policy Database (SPD) entry is created for each IPsec tunnel. It is possible to create multiple IPsec tunnels that use the same IP Interface Group. That is, one for signaling traffic and one for media traffic.

Command Examples

Code Block
languagenone
% set addressContext default ipsec spd SPD3 localIpAddr 10.16.230.2 localIpPrefixLen 32 remoteIpAddr 10.16.220.2 remoteIpPrefixLen 32 action protect protocol 17 state enabled precedence 102

% show addressContext default ipsec 
spd SPD3 {
 state enabled;
 precedence 102;
 localIpAddr 10.16.230.2;
 localIpPrefixLen 32;
 remoteIpAddr 10.16.220.2;
 remoteIpPrefixLen 32;
 protocol 17;
 action protect;
}


Code Block
titleipsecForMedia and media configuration
set addressContext AC1 ipsec spd SPD3 media enable