[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
Defining IKE Policy Rules for IPSec Tunnels
This section describes enhancements to some IKE
policy rule commands to support dynamic IPSec subscribers.
Specifying a Virtual Router for an IKE Policy Rule
The ip address virtual-router command enables an IKE policy rule to limit its scope to a specific
local IP address on a specific virtual router. When enabled, this
limitation ensures that this policy rule is evaluated for IKE security
association evaluations for only the specified IP address and virtual
router.
When initiating and responding to an IKE SA exchange,
the router evaluates the possible policy rules as follows:
- If an IP-address-specific IKE policy rule refers to the
local IP address and virtual router for this exchange, the router
evaluates this policy rule before any non-IP-address-specific IKE
policy rules. If more than one IP-address-specific IKE policy rule
exists, the router evaluates the policy rule with the lowest priority
number first and then evaluates the policy rule with the next highest
priority number and so on.
- If no IP-address-specific IKE policy rule refers to the
local IP address and virtual router for this exchange, the router
evaluates all non-IP-address-specific IKE policy rules in the normal
IKE policy rule evaluation order.
You can define an IKE policy rule without specifying
an IP address or virtual router (the default). When not specifically
configured, the IKE policy rule remains valid for any local IP address
on any virtual router residing on the router.
ip
address virtual-router
- Use to limit the scope of the IKE policy rule to the specified
local IP address on the specified virtual router. This limitation
ensures that this policy rule is evaluated for IKE security association
evaluations for only the specified IP address and virtual router.
- Example
- host1(config-ike-policy)#ip address virtual-router
VR1
- Use the no version to remove
the IP address and virtual router limitation.
- See ip address virtual-router.
Defining Aggressive Mode for an IKE Policy Rule
The aggressive-mode command
enables aggressive mode negotiation for the tunnel. For additional
information about aggressive mode and how it works, see Main Mode and Aggressive Mode .
aggressive-mode
- Use to enable aggressive mode negotiation for the tunnel.
- If you specify aggressive mode negotiation, the tunnel
proposes aggressive mode to the peer in connections that the policy
initiates.
- If the peer initiates a negotiation, the tunnel accepts
the negotiation if the mode matches this policy.
- Use the accepted keyword to
accept aggressive mode when proposed by peers
- Use the requested keyword to
request aggressive mode when negotiating with peers
- Use the required keyword to
only request and accept aggressive mode when negotiating with peers.
- Example
- host1(config-ike-policy)#aggressive-mode accepted
- Use the no version to set the
negotiation mode to main mode.
- See aggressive-mode.
[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
