IpLocalStartAction statement

Use the IpLocalStartAction statement to indicate how to determine the local IP, remote IP, local port, remote port, protocol specification, ICMP type and code specifications, and mobility header type specification for the local activation of a dynamic VPN. It provides information about the remote and local security endpoints with which dynamic SAs should be negotiated.

The IpLocalStartAction is optional for host-to-host dynamic SAs that are initiated locally. If this action is not specified, default values are used to locate a matching KeyExchangeRule keyword. The KeyExchangeRule keyword is searched based on the local and remote dynamic SA endpoints to be negotiated. If the IpLocalStartAction is not specified on the IpFilterRule statement, the remote IP security endpoint is supplied based on the destination IP address in an outbound packet in the case of an OnDemand request, or the RemoteIp keyword value in the case of activation based on a LocalDynVpnRule. The local IP security endpoint is supplied based on the source IP address in an outbound packet, or the LocalIp keyword value in the case of activation based on the LocalDynVpnRule statement.

If the IpLocalStartAction statement is not specified, the AllowOnDemand default policy specified on the IpFilterPolicy is used to determine whether OnDemand requests are allowed. Additionally, defaults for granularity of locally initiated SAs are determined as follows:
  • The IP addresses used for the security endpoints are determined based on the outbound packet (OnDemand) or the LocalIp and RemoteIp keywords from the LocalDynVpnRule statement.
  • The negotiated SA is based on the protocol value specified in the rule which can either be a specific protocol or all protocols.
  • For both source port and destination port, if the matching filter rule specifies a single port value or all ports, the SA is negotiated with the port value from the rule. IKE version 1 negotiation can be done only with a single port or all ports. When the rule specifies a port range and IKE version 1 is used, the negotiation is done with the port specification from the outbound packet or the LocalDynVpnRule statement. When the rule specifies a port range and IKE version 2 is used, the negotiation is done with the port range specification.
  • If the filter rule specifies an ICMP type and code, ICMPv6 type and code, or mobility header type, the negotiated SA is based on those specifications. IKE version 1 negotiation can only be done with ICMP type and code, ICMPv6 type and code, or mobility header type specification of any.

Syntax

Read syntax diagramSkip visual syntax diagram
>>-IpLocalStartAction--name--| Put Braces and Parameters on Separate Lines |-><

Put Braces and Parameters on Separate Lines

|--+-{---------------------------------+------------------------|
   +-| IpLocalStartAction Parameters |-+   
   '-}---------------------------------'   

IpLocalStartAction Parameters

   .-AllowOnDemand --No-----.   
|--+------------------------+----------------------------------->
   '-AllowOnDemand--+-Yes-+-'   
                    '-No--'     

   .-LocalPortGranularity --Rule------.   
>--+----------------------------------+------------------------->
   '-LocalPortGranularity--+-Rule---+-'   
                           '-Packet-'     

   .-RemotePortGranularity --Rule------.   
>--+-----------------------------------+------------------------>
   '-RemotePortGranularity--+-Rule---+-'   
                            '-Packet-'     

   .-ProtocolGranularity --Rule------.   
>--+---------------------------------+-------------------------->
   '-ProtocolGranularity--+-Rule---+-'   
                          '-Packet-'     

   .-ICMPCodeGranularity --Rule------.   
>--+---------------------------------+-------------------------->
   '-ICMPCodeGranularity--+-Rule---+-'   
                          '-Packet-'     

   .-ICMPTypeGranularity --Rule------.   
>--+---------------------------------+-------------------------->
   '-ICMPTypeGranularity--+-Rule---+-'   
                          '-Packet-'     

   .-ICMPv6CodeGranularity --Rule------.   
>--+-----------------------------------+------------------------>
   '-ICMPv6CodeGranularity--+-Rule---+-'   
                            '-Packet-'     

   .-ICMPv6TypeGranularity --Rule------.   
>--+-----------------------------------+------------------------>
   '-ICMPv6TypeGranularity--+-Rule---+-'   
                            '-Packet-'     

   .-MIPv6TypeGranularity --Rule------.   
>--+----------------------------------+------------------------->
   '-MIPv6TypeGranularity--+-Rule---+-'   
                           '-Packet-'     

   .-RemoteIpGranularity --Packet----.   
>--+---------------------------------+-------------------------->
   '-RemoteIpGranularity--+-Rule---+-'   
                          '-Packet-'     

   .-LocalIpGranularity --Packet----.   
>--+--------------------------------+--------------------------->
   '-LocalIpGranularity--+-Rule---+-'   
                         '-Packet-'     

>--+-------------------------------+---------------------------->
   +-LocalSecurityEndpoint---------+   
   '-LocalSecurityEndpointRef name-'   

>--+--------------------------------+--------------------------->
   +-RemoteSecurityEndpoint---------+   
   '-RemoteSecurityEndpointRef name-'   

>--+------------------------------------------+-----------------|
   +-InitiateToLocation--+-IpAddr ipaddress-+-+   
   |                     '-Dns dnsname------' |   
   '-InitiateToLocationRef name---------------'   

Parameters

name
A string 1 - 32 characters in length specifying the name of this IpLocalStartAction statement. The name cannot start with a dash (-) or contain any commas (,).
AllowOnDemand
Indicates whether outbound IP packets can result in an on demand activation of a phase 2 negotiation. The default of No disallows on-demand activations.
LocalIpGranularity
The LocalIpGranularity value is consulted only when creating an on-demand dynamic VPN. It specifies which of the following IP addresses should be used as the local IP address during a phase 2 negotiation:
  • The source IP address specification of the matching IP filter rule
  • The source IP address in the IP packet that resulted in the on-demand activation
RemoteIpGranularity
The RemoteIpGranularity is consulted only when creating an on-demand dynamic VPN. It specifies which of the following IP addresses should be used as the remote IP address during a phase 2 negotiation:
  • The destination IP address specification of the matching IP filter rule
  • The destination IP address in the IP packet that resulted in the on-demand activation
LocalPortGranularity
Specifies which of the following port values should be used as the local port specification during a phase 2 negotiation:
  • The source port specification of the matching IP filter rule.
  • The source port specification in the IP packet that resulted in the on-demand activation.

Restriction: If the matching IP filter rule has an IpService statement that specifies a local port range and the dynamic VPN is negotiated using IKE version 1, then the source port from the IP packet is used. IKE version 1 does not support port ranges for this purpose.

Tip: IKE version 1 does not support negotiating a single SA for a port range other than All ports. When using IKE version 1, if you want to negotiate a single phase 2 SA to cover all ports for local activations, then you must code a port specification of All on your IpService statement, in addition to a LocalPortGranularity of Rule.

RemotePortGranularity
Specifies which of the following port values should be used as the remote port specification during a phase 2 negotiation:
  • The destination port specification of the matching IP filter rule.
  • The destination port specification in the IP packet that resulted in the on-demand activation.

Restriction: If the matching IP filter rule has an IpService statement that specifies a destination port range and the dynamic VPN is negotiated using IKE version 1, then the destination port from the IP packet is used. IKE version 1 does not support port ranges for this purpose.

Tip: IKE version 1 does not support negotiating a single SA for a port range other than All ports. When using IKE version 1, if you want to negotiate a single phase 2 SA to cover all ports for local activations, then you must code a port specification of All on your IpService statement, in addition to a RemotePortGranularity of Rule.

ProtocolGranularity
Specifies which of the following protocol values should be used as the protocol specification during a phase 2 negotiation:
  • The protocol specification of the matching IP filter rule
  • The protocol specification in the IP packet that resulted in the on-demand activation
ICMPCodeGranularity
Specifies which of the following ICMP code values should be used during an IKE version 2 phase 2 negotiation:
  • The ICMP code specification of the matching IP filter rule
  • The ICMP code specification in the IP packet that resulted in the on-demand activation

The ICMPCodeGranularity parameter is ignored when IKE version 1 is used. The ICMP code specification of the matching IP filter rule is used during an IKE version 1 phase 2 negotiation. An IKE version 1 negotiation fails if the matching IP filter rule ICMP code specification contains a value other than any.

Restriction: This parameter is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details

ICMPTypeGranularity
Specifies which of the following ICMP type values should be used during an IKE version 2 phase 2 negotiation:
  • The ICMP type specification of the matching IP filter rule
  • The ICMP type specification in the IP packet that resulted in the on-demand activation

The ICMPTypeGranularity parameter is ignored when IKE version 1 is used. The ICMP type specification of the matching IP filter rule is used during an IKE version 1 phase 2 negotiation. An IKE version 1 negotiation fails if the matching IP filter rule ICMP type specification contains a value other than any.

Restriction: This parameter is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details

ICMPv6CodeGranularity
Specifies which of the following ICMPv6 code values should be used during an IKE version 2 phase 2 negotiation:
  • The ICMPv6 code specification of the matching IP filter rule
  • The ICMPv6 code specification in the IP packet that resulted in the on-demand activation

The ICMPv6CodeGranularity parameter is ignored when IKE version 1 is used. The ICMPv6 code specification of the matching IP filter rule is used during an IKE version 1 phase 2 negotiation. An IKE version 1 negotiation fails if the matching IP filter rule ICMPv6 code specification contains a value other than any.

Restriction: This parameter is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details

ICMPv6TypeGranularity
Specifies which of the following ICMPv6 type values should be used during an IKE version 2 phase 2 negotiation:
  • The ICMPv6 type specification of the matching IP filter rule
  • The ICMPv6 type specification in the IP packet that resulted in the on-demand activation

The ICMPv6TypeGranularity parameter is ignored when IKE version 1 is used. The ICMPv6 type specification of the matching IP filter rule is used during an IKE version 1 phase 2 negotiation. An IKE version 1 negotiation fails if the matching IP filter rule ICMPv6 type specification contains a value other than any.

Restriction: This parameter is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details

MIPv6TypeGranularity
Specifies which of the following mobility header type values should be used during an IKE version 2 phase 2 negotiation:
  • The MIPv6 type specification of the matching IP filter rule
  • The MIPv6 type specification in the IP packet that resulted in the on-demand activation

The MIPv6TypeGranularity parameter is ignored when IKE version 1 is used. The MIPv6 type specification of the matching IP filter rule is used during an IKE version 1 phase 2 negotiation. An IKE version 1 negotiation fails if the matching IP filter rule MIPv6 type specification contains a value other than any.

Restriction: This parameter is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details

LocalSecurityEndpoint
An inline specification of a LocalSecurityEndpoint statement.

The LocalSecurityEndpoint statement is used to locate a KeyExchangeRule statement that indicates how IKE negotiations are to be protected.

The LocalSecurityEndpoint statement is optional for host-to-host and host-to-gateway configurations. If this statement is not specified, default values are used to locate a matching KeyExchangeRule statement. The KeyExchangeRule statement is located based on the local and remote dynamic SA endpoints to be negotiated. The local IP security endpoint is supplied based on the source IP address in an outbound packet in the case of an on-demand activation or the LocalIp keyword in the case of activation based on a LocalDynVpnRule statement.

LocalSecurityEndpointRef
The name of a globally defined LocalSecurityEndpoint statement. The LocalSecurityEndpoint statement is used to locate a KeyExchangeRule statement that indicates how IKE negotiations are to be protected.
RemoteSecurityEndpoint
An inline specification of an RemoteSecurityEndpoint statement. The RemoteSecurityEndpoint statement is used to locate a KeyExchangeRule statement that indicates how IKE negotiations are to be protected.
RemoteSecurityEndpointRef
The name of a globally defined RemoteSecurityEndpoint statement. The RemoteSecurityEndpoint statement is used to locate a KeyExchangeRule statement that indicates how IKE negotiations are to be protected.
InitiateToLocation
IpAddr
The IP address specification of the remote security endpoint to be used when initiating a dynamic VPN tunnel.
Dns
The DNS name of the remote security endpoint to be used when initiating a dynamic VPN tunnel. The maximum length of DNS name is 512.
The InitiateToLocation parameter is optional for host-to-host or gateway-to-host configurations. If the parameter is not specified, the InitiateToLocation parameter is determined at run time. For on-demand activations, the destination address in the IP packet that triggered the activation is used. For activations based on a LocalDynVpnRule statement, the IP address from the RemoteIP keyword is used. The IP Address specified for InitiateToLocation should be included within the subnet or range of IP addresses specified on the RemoteSecurityEndpoint parameter location. If the RemoteSecurityEndpoint parameter specifies a single IP address for location, the InitiateToLocation parameter should match the RemoteSecurityEndpoint parameters location value.
InitiateToLocationRef
The name of a globally defined IpAddr statement for the remote security endpoint to be used when initiating a dynamic VPN tunnel.
Rules:
  • All Location addresses in LocalSecurityEndpoint and RemoteSecurityEndpoint for this action must be in the same address family (IPv4 or IPv6).
  • The address for the IpFilterRule statement associated with this action must be in the same address family as the Location addresses in the LocalSecurityEndpoint and RemoteSecurityEndpoint parameters.
Parent topic: IPSec policy statements