Active Security Associations and the ipsec -f default command

Any active Security Associations that were negotiated for IPSec-protected traffic are not deleted when the ipsec -f default command is issued. However, they are deleted if, while the default policy is in effect, any associated IP filter rules from the IP filter policy are deleted or modified in such a way that the filter rule no longer encompasses the scope of the Security Association. In that case, the Security Association will be deleted when the IP security policy is reloaded.

For example, Security Associations are not deleted by the following sequence of actions:

1. The ipsec -f default command is issued.

   Security Associations remain active in the stack and in IKE, though unavailable for use.

2. No modification is made to the IP filter policy in the IP security configuration files.

   Security Associations remain active in the stack and in IKE, though unavailable for use.

3. The ipsec -f reload command is issued.

   Security Associations remain active in the stack and in IKE, and are available for use.

Security Associations are deleted by the following sequence of actions:

1. The ipsec -f default command is issued.

   Security Associations remain active in the stack and in IKE.

2. The IpFilterRule statement that is associated with an active Security Association is deleted.
3. The IP security policy is updated by issuing the MODIFY PAGENT,REFRESH command from the console.

   Existing Security Associations are deleted.

4. The ipsec -f reload command is issued.

   Security Associations have been deleted.

In either case, Security Associations are never available for use when the default IP filter policy is in effect.