Software Release 2.3.1

11

IP Security (IPsec) Source Interface and

Enhancements

A source interface can now be specified for tunnelled IPsec traffic. The performance of IPsec is also enhanced, and more simultaneous IPsec tunnels are supported, because of the increase in ENCO channels.

A new SRCINTERFACE parameter has been added to the SET and CREATE IPSEC POLICY commands. The SRCINTERFACE parameter specifies which interface on the router will be used as the source interface for tunnelled IPsec traffic. If the SRCINTERFACE parameter is not specified, the router defaults to the INTERFACE parameter.

The syntax for these commands is now:

SET IPSEC POLICY=name [ACTION={DENYIPSECPERMIT}] [BUNDLESPECIFICATION=bundlespecification-id] [DFBIT={SET COPYCLEAR}] [GROUP={012}] [IPROUTETEMPLATE=template- name] [ISAKMPPOLICY=isakmp-policy-name] [LADDRESS={ANY ipadd[-ipadd]}] [LMASK=ipadd] [LNAME={ANYsystem-name}] [LPORT={ANYOPAQUEport}] [PEERADDRESS={ipaddANY DYNAMIC}] [POSTION=pos] [RADDRESS={ANYipadd[-ipadd]}] [RMASK=ipadd] [RNAME={ANYsystem-name}] [RPORT={ANYport OPAQUE}] [SRCINTERFACE=interface] [TRANSPORTPROTOCOL={ANY EGPESPGREICMPOPAQUEOSPFRSVPTCPUDPprotocol}] [UDPHEARTBEAT={TRUEFALSE}] [UDPPORT=port] [UDPTUNNEL={TRUEFALSE}] [USEPFSKEY={TRUEFALSE}]

CREATE IPSEC POLICY=name INTERFACE=interface ACTION={DENYIPSECPERMIT} [BUNDLESPECIFICATION=bundlespecification-id] [DFBIT={SET COPYCLEAR}] [GROUP={012}] [IPROUTETEMPLATE=template- name] [ISAKMPPOLICY=isakmp-policy-name] [KEYMANAGEMENT={ISAKMPMANUAL}] [LADDRESS={ANY ipadd[-ipadd]}] [LMASK=ipadd] [LNAME={ANYsystem-name}] [LPORT={ANYOPAQUEport}] [PEERADDRESS={ipaddANY DYNAMIC}] [POSTION=pos] [RADDRESS={ANYipadd[-ipadd]}] [RMASK=ipadd] [RNAME={ANYsystem-name}] [RPORT={ANYport

OPAQUE}] [SASELECTORFROMPKT={ALLLADDRESSLPORTNONE RADDRESSRPORTTRANSPORTPROTOCOL}] [SRCINTERFACE=interface] [TRANSPORTPROTOCOL={ANYEGPESP GREICMPOPAQUEOSPFRSVPTCPUDPprotocol}] [UDPHEARTBEAT={TRUEFALSE}] [UDPPORT=port] [UDPTUNNEL={TRUEFALSE}] [USEPFSKEY={TRUEFALSE}]

where:

interface is an interface name formed by joining a layer 2 interface type, an interface instance, and optionally a hyphen followed by a logical interface number in the range 0 to 15 (e.g. eth0, vlan1, ppp1-1).

Software Release 2.3.1 C613-10325-00 REV B

Page 10 Page 12
Page 11
Image 11
Allied Telesis AT-AR300 manual IP Security IPsec Source Interface Enhancements
Page 10 Page 12
Top Page Image Contents