Table of Contents
Advertisement
Defining the Tunnel MTU
The tunnel mtu command configures the maximum transmission unit size for the
tunnel.
tunnel mtu
Defining IKE Policy Rules for IPSec Tunnels
This section describes enhancements to some IKE policy rule commands to support
dynamic IPSec subscribers.
Specifying a Virtual Router for an IKE Policy Rule
The ip address virtual-router command enables an IKE policy rule to limit its scope
to a specific local IP address on a specific virtual router. When enabled, this limitation
ensures that this policy rule is evaluated for IKE security association evaluations for
only the specified IP address and virtual router.
When initiating and responding to an IKE SA exchange, the router evaluates the
possible policy rules as follows:
You can define an IKE policy rule without specifying an IP address or virtual router
(the default). When not specifically configured, the IKE policy rule remains valid for
any local IP address on any virtual router residing on the router.
ip address virtual-router
Use to configure the maximum transmission unit size for the tunnel.
Example
host1(config-ipsec-tunnel-profile)#tunnel mtu 3000
Use the no version to restores the default value, an MTU size of 1400 bytes.
See tunnel mtu.
If an IP-address-specific IKE policy rule refers to the local IP address and virtual
router for this exchange, the router evaluates this policy rule before any
non-IP-address-specific IKE policy rules. If more than one IP-address-specific IKE
policy rule exists, the router evaluates the policy rule with the lowest priority
number first and then evaluates the policy rule with the next highest priority
number and so on.
If no IP-address-specific IKE policy rule refers to the local IP address and virtual
router for this exchange, the router evaluates all non-IP-address-specific IKE
policy rules in the normal IKE policy rule evaluation order.
Chapter 6: Configuring Dynamic IPSec Subscribers
Defining IKE Policy Rules for IPSec Tunnels
189
Advertisement
Table of Contents
