Defining IKE Policy Rules for IPSec Tunnels

This section describes enhancements to some IKE policy rule commands to support dynamic IPSec subscribers.

Specifying a Virtual Router for an IKE Policy Rule

The ip address virtual-router command enables an IKE policy rule to limit its scope to a specific local IP address on a specific virtual router. When enabled, this limitation ensures that this policy rule is evaluated for IKE security association evaluations for only the specified IP address and virtual router.

When initiating and responding to an IKE SA exchange, the router evaluates the possible policy rules as follows:

• If an IP-address-specific IKE policy rule refers to the local IP address and virtual router for this exchange, the router evaluates this policy rule before any non-IP-address-specific IKE policy rules. If more than one IP-address-specific IKE policy rule exists, the router evaluates the policy rule with the lowest priority number first and then evaluates the policy rule with the next highest priority number and so on.
• If no IP-address-specific IKE policy rule refers to the local IP address and virtual router for this exchange, the router evaluates all non-IP-address-specific IKE policy rules in the normal IKE policy rule evaluation order.

You can define an IKE policy rule without specifying an IP address or virtual router (the default). When not specifically configured, the IKE policy rule remains valid for any local IP address on any virtual router residing on the router.

Defining Aggressive Mode for an IKE Policy Rule

The aggressive-mode command enables aggressive mode negotiation for the tunnel. For additional information about aggressive mode and how it works, see Main Mode and Aggressive Mode .