In this section:
Use the SPD (Security Policy Database) window to configure IPsec SPD entries for the SBC. The SPD entries establish the phase 2 criteria for negotiation between the SBC and an IKE peer. The successful completion of this negotiation results in a Security Association (SA).
On the SBC main screen, navigate to All > Address Context > IPsec > SPD.
The SPD window opens.
To Create an SPD Entry
To create a new SPD entry:
Use the drop-down box to select the desired Address Context for the SPD.
Click New SPD. The Create New SPD window opens.
The following fields are displayed:
SPD Parameters
Parameter | Length/Range | Description |
---|---|---|
Name | 1-23 | Specifies the name of an IPsec Security Policy Database (SPD) entry. The IPsec SPD is an ordered list of entries ("rules") that specify sets of packets and determine whether or not to permit, deny, or protect packets between the You may create and configure up to 4,096 SPD entries. |
State | NA | Administrative state to disable or enable a SPD entry. |
Precedence | 0-65535 | A unique precedence (evaluation order) for this SPD. |
Local IP Addr | N/A | Specifies the local IPv4 or IPv6 address of the SPD traffic selector. Zero indicates wildcard. |
Local IP Prefix Len | 0-128 | Specifies the local IP prefix length of the SPD traffic selector. Default value is 0. |
Local Port | 0-65535 | Specifies the local port of the SPD traffic selector. Zero indicates wildcard. Default value is 0. |
Remote IP Addr | NA | Specifies the remote IPv4 or IPv6 address of the SPD traffic selector. Zero indicates wildcard. |
Remote IP Prefix Len | 0-128 | Specifies the remote IP prefix length of the SPD traffic selector. Default value is 0. |
Remote Port | 0-65535 | Specifies the remote port of the SPD traffic selector. Zero indicates wildcard. Default value is 0. |
Protocol | 0-255 | Specifies the IP protocol number of the SPD traffic selector. This parameter uses IANA protocol number assignment, that is, protocol number 6 represents TCP, protocol number 17 represents UDP. Zero indicates wildcard. Default value is 0. |
Action | N/A | Action applied when packets processed by IPSEC found matching the selectors of this SPD rule.
|
Mode | NA | Use this parameter to set the IPsec mode for the SPD.
Notes:
|
Media | N/A | Note
This feature applies to SBC 7000 only. Enable this flag while configuring media SPD entries to identify media IPSec SAs. Whenever the media IPsec SPD administrative "state" is enabled, and if IPsec For Media is enabled on the Media IP Interface Group, the IkeProcess starts IKE negotiation with the IPsec peer and IPsec SAs are established. The Media flag is further passed down to IkeProcess and stored in the spd/selector data structures to identify media IPsec SAs. If media SPD states are enabled before IPsec For Media is enabled for Media LIF Group, then the IkeProcess starts IKE negotiation for all the Media SPD entries as soon as IPsec For Media is enabled on the corresponding LIF Group.
|
To edit an SPD entry:
To copy an SPD entry:
To delete an SPD entry: