Configuring IPsec Configuring IPsec on the OmniSwitch
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 18-12
Use the no form of the command to remove the configured IPsec policy. For example:
-> no ipsec policy tcp_in
Enabling and Disabling a Policy
You can administratively enable or disable the configured security policy by using the keywords admin-
state enable/disable after the command as shown below:
-> ipsec policy tcp_in admin-state disable
The above command disables the configured IPsec security policy.
Assigning a Priority to a Policy
You can use the optional priority parameter to assign a priority to the configured IPsec policy so that if
IPv6 traffic matches more than one configured policy, the policy with the highest priority is applied to the
traffic. The policy with the lower value has the higher priority. For example:
-> ipsec policy tcp_in priority 500
Policy Priority Example
-> ipsec policy telnet_deny priority 1000 source ::/0 destination ::/0 port 23
protocol tcp in discard
-> ipsec policy telnet_ipsec priority 200 source 3ffe:1200::/32 destination ::/0
port 23 protocol tcp in ipsec admin-state disable
-> ipsec policy telnet_ipsec rule 1 esp
-> ipsec policy telnet_ipsec admin-state enable
-> ipsec policy telnet_clear priority 100 source 3ffe:1200::1 destination ::/0
port 23 protocol tcp in none
-> ipsec policy telnet_malicious priority 1 source 3ffe:1200::35 destination ::/
0 port 23 protocol tcp in discard
1 Policy telnet_deny is the lowest priority policy. It will discard any incoming telnet connection
attempts.
2 Policy telnet_ipsec covers a subset of the source addresses of telnet_deny. With its greater priority, it
overrides telnet_deny and allows incoming telnet connections from addresses starting with the prefix
3ffe:1200::/32 as long as they are protected by ESP.
3 The policy telnet_clear overrides telnet_ipsec, allowing telnet connection attempts from the host to be
accepted without any IPsec protection.
4 Policy telnet_malicious can be configured to handle a known malicious system that otherwise would
fall under the telnet_ipsec policy. Its priority of 1 ensures that it always takes precedence and discards any
incoming telnet connection attempts from the known malicious system.
Note. Policies cannot be enabled until at least one rule is configured. See “Configuring an IPsec Rule” on
page 18-14.
Note. If two security policies have the same priority then the one configured first will be processed first.
To Next Page
Loading...
Need help?
General
