Use the IpLocalStartAction statement to indicate how to determine the local IP, remote IP, local port, remote port, protocol specification, ICMP type and code specifications, and mobility header type specification for the local activation of a dynamic VPN. It provides information about the remote and local security endpoints with which dynamic SAs should be negotiated.
The IpLocalStartAction is optional for host-to-host dynamic SAs that are initiated locally. If this action is not specified, default values are used to locate a matching KeyExchangeRule keyword. The KeyExchangeRule keyword is searched based on the local and remote dynamic SA endpoints to be negotiated. If the IpLocalStartAction is not specified on the IpFilterRule statement, the remote IP security endpoint is supplied based on the destination IP address in an outbound packet in the case of an OnDemand request, or the RemoteIp keyword value in the case of activation based on a LocalDynVpnRule. The local IP security endpoint is supplied based on the source IP address in an outbound packet, or the LocalIp keyword value in the case of activation based on the LocalDynVpnRule statement.
>>-IpLocalStartAction--name--| Put Braces and Parameters on Separate Lines |->< Put Braces and Parameters on Separate Lines |--+-{---------------------------------+------------------------| +-| IpLocalStartAction Parameters |-+ '-}---------------------------------' IpLocalStartAction Parameters .-AllowOnDemand --No-----. |--+------------------------+-----------------------------------> '-AllowOnDemand--+-Yes-+-' '-No--' .-LocalPortGranularity --Rule------. >--+----------------------------------+-------------------------> '-LocalPortGranularity--+-Rule---+-' '-Packet-' .-RemotePortGranularity --Rule------. >--+-----------------------------------+------------------------> '-RemotePortGranularity--+-Rule---+-' '-Packet-' .-ProtocolGranularity --Rule------. >--+---------------------------------+--------------------------> '-ProtocolGranularity--+-Rule---+-' '-Packet-' .-ICMPCodeGranularity --Rule------. >--+---------------------------------+--------------------------> '-ICMPCodeGranularity--+-Rule---+-' '-Packet-' .-ICMPTypeGranularity --Rule------. >--+---------------------------------+--------------------------> '-ICMPTypeGranularity--+-Rule---+-' '-Packet-' .-ICMPv6CodeGranularity --Rule------. >--+-----------------------------------+------------------------> '-ICMPv6CodeGranularity--+-Rule---+-' '-Packet-' .-ICMPv6TypeGranularity --Rule------. >--+-----------------------------------+------------------------> '-ICMPv6TypeGranularity--+-Rule---+-' '-Packet-' .-MIPv6TypeGranularity --Rule------. >--+----------------------------------+-------------------------> '-MIPv6TypeGranularity--+-Rule---+-' '-Packet-' .-RemoteIpGranularity --Packet----. >--+---------------------------------+--------------------------> '-RemoteIpGranularity--+-Rule---+-' '-Packet-' .-LocalIpGranularity --Packet----. >--+--------------------------------+---------------------------> '-LocalIpGranularity--+-Rule---+-' '-Packet-' >--+-------------------------------+----------------------------> +-LocalSecurityEndpoint---------+ '-LocalSecurityEndpointRef name-' >--+--------------------------------+---------------------------> +-RemoteSecurityEndpoint---------+ '-RemoteSecurityEndpointRef name-' >--+------------------------------------------+-----------------| +-InitiateToLocation--+-IpAddr ipaddress-+-+ | '-Dns dnsname------' | '-InitiateToLocationRef name---------------'
Restriction: If the matching IP filter rule has an IpService statement that specifies a local port range and the dynamic VPN is negotiated using IKE version 1, then the source port from the IP packet is used. IKE version 1 does not support port ranges for this purpose.
Tip: IKE version 1 does not support negotiating a single SA for a port range other than All ports. When using IKE version 1, if you want to negotiate a single phase 2 SA to cover all ports for local activations, then you must code a port specification of All on your IpService statement, in addition to a LocalPortGranularity of Rule.
Restriction: If the matching IP filter rule has an IpService statement that specifies a destination port range and the dynamic VPN is negotiated using IKE version 1, then the destination port from the IP packet is used. IKE version 1 does not support port ranges for this purpose.
Tip: IKE version 1 does not support negotiating a single SA for a port range other than All ports. When using IKE version 1, if you want to negotiate a single phase 2 SA to cover all ports for local activations, then you must code a port specification of All on your IpService statement, in addition to a RemotePortGranularity of Rule.
The ICMPCodeGranularity parameter is ignored when IKE version 1 is used. The ICMP code specification of the matching IP filter rule is used during an IKE version 1 phase 2 negotiation. An IKE version 1 negotiation fails if the matching IP filter rule ICMP code specification contains a value other than any.
Restriction: This parameter is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
The ICMPTypeGranularity parameter is ignored when IKE version 1 is used. The ICMP type specification of the matching IP filter rule is used during an IKE version 1 phase 2 negotiation. An IKE version 1 negotiation fails if the matching IP filter rule ICMP type specification contains a value other than any.
Restriction: This parameter is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
The ICMPv6CodeGranularity parameter is ignored when IKE version 1 is used. The ICMPv6 code specification of the matching IP filter rule is used during an IKE version 1 phase 2 negotiation. An IKE version 1 negotiation fails if the matching IP filter rule ICMPv6 code specification contains a value other than any.
Restriction: This parameter is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
The ICMPv6TypeGranularity parameter is ignored when IKE version 1 is used. The ICMPv6 type specification of the matching IP filter rule is used during an IKE version 1 phase 2 negotiation. An IKE version 1 negotiation fails if the matching IP filter rule ICMPv6 type specification contains a value other than any.
Restriction: This parameter is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
The MIPv6TypeGranularity parameter is ignored when IKE version 1 is used. The MIPv6 type specification of the matching IP filter rule is used during an IKE version 1 phase 2 negotiation. An IKE version 1 negotiation fails if the matching IP filter rule MIPv6 type specification contains a value other than any.
Restriction: This parameter is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
The LocalSecurityEndpoint statement is used to locate a KeyExchangeRule statement that indicates how IKE negotiations are to be protected.
The LocalSecurityEndpoint statement is optional for host-to-host and host-to-gateway configurations. If this statement is not specified, default values are used to locate a matching KeyExchangeRule statement. The KeyExchangeRule statement is located based on the local and remote dynamic SA endpoints to be negotiated. The local IP security endpoint is supplied based on the source IP address in an outbound packet in the case of an on-demand activation or the LocalIp keyword in the case of activation based on a LocalDynVpnRule statement.