Enabling And Disabling A Policy; Assigning A Priority To A Policy - OmniSwitch os6900 Network Configuration Manual

Configuring IPsec on the OmniSwitch

Enabling and Disabling a Policy

You can administratively enable or disable the configured security policy by using the keywords admin-
state enable/disable after the command as shown below:
-> ipsec policy tcp_in admin-state disable
The above command disables the configured IPsec security policy.
Note. Policies cannot be enabled until at least one rule is configured. See
page 18-14.

Assigning a Priority to a Policy

You can use the optional priority parameter to assign a priority to the configured IPsec policy so that if
IPv6 traffic matches more than one configured policy, the policy with the highest priority is applied to the
traffic. The policy with the lower value has the higher priority. For example:
-> ipsec policy tcp_in priority 500
Note. If two security policies have the same priority then the one configured first will be processed first.
Policy Priority Example
-> ipsec policy telnet_deny priority 1000 source ::/0 destination ::/0 port 23
protocol tcp in discard
-> ipsec policy telnet_ipsec priority 200 source 3ffe:1200::/32 destination ::/0
port 23 protocol tcp in ipsec admin-state disable
-> ipsec policy telnet_ipsec rule 1 esp
-> ipsec policy telnet_ipsec admin-state enable
-> ipsec policy telnet_clear priority 100 source 3ffe:1200::1 destination ::/0
port 23 protocol tcp in none
-> ipsec policy telnet_malicious priority 1 source 3ffe:1200::35 destination ::/
0 port 23 protocol tcp in discard
1
Policy telnet_deny is the lowest priority policy. It will discard any incoming telnet connection
attempts.
2
Policy telnet_ipsec covers a subset of the source addresses of telnet_deny. With its greater priority, it
overrides telnet_deny and allows incoming telnet connections from addresses starting with the prefix
3ffe:1200::/32 as long as they are protected by ESP.
3
The policy telnet_clear overrides telnet_ipsec, allowing telnet connection attempts from the host to be
accepted without any IPsec protection.
4
Policy telnet_malicious can be configured to handle a known malicious system that otherwise would
fall under the telnet_ipsec policy. Its priority of 1 ensures that it always takes precedence and discards any
incoming telnet connection attempts from the known malicious system.
page 18-12 OmniSwitch AOS Release 7 Network Configuration Guide
Configuring IPsec
"Configuring an IPsec Rule" on
June 2013