You can configure remote IP security policy using both
a stack-specific file and a common file. If there are duplicate statements,
the stack-specific file always takes precedence over the common file.
Procedure
Perform the following steps to configure remote IP security
policy using both a stack-specific IP security configuration file
and a common IP security configuration file.
- In the main Policy Agent configuration file on the policy
client, include the ServerConnection statement, and a line with the
TcpImage statement for each IP security stack to be configured:
ServerConnection
{
…
}
TcpImage TCPCS /etc/TCPCS.image
TcpImage TCPCS2 /etc/TCPCS2.image
⋮
- In each configuration file that was identified on the TcpImage
statement shown in step 1, include a PolicyServer statement. For example, in /etc/TCPCS.image:
PolicyServer
{
ClientName IPSecClientTCPCS
PolicyType IPSec
{
…
}
…
}
In /etc/TCPCS2.image:
PolicyServer
{
ClientName IPSecClientTCPCS2
PolicyType IPSec
{
…
}
…
}
- In the main configuration file on the policy server, include
DynamicConfigPolicyLoad statements, as follows:
DynamicConfigPolicyLoad IPSecClientTCPCS
{
PolicyType IPSec
{
CommonPolicyLoad /etc/common.ipsecpol
PolicyLoad /etc/TCPCS.ipsecpol
}
…
}
DynamicConfigPolicyLoad IPSecClientTCPCS2
{
PolicyType IPSec
{
CommonPolicyLoad /etc/common.ipsecpol
PolicyLoad /etc/TCPCS2.ipsecpol
}
…
}
Results
Any statements in the common IP security configuration
file are added to the policy for each stack when the policy is initialized.
Either file, /etc/TCPCS.ipsecpol or /etc/TCPCS2.ipsecpol, can refer
to statements in /etc/common.ipsecpol. In the case of duplicate names,
any named statement in the stack-specific IP security configuration
file overrides a statement with the same name in the common IP security
configuration file.