Step 6A: Configuring an IPSec/9000 Policy: Filter

Click Create on the IPSec Manager screen to create a new IPSec Policy.

The Create IPSec Policy window appears.

For more information about any of the fields on this window, go to "Configuration Reference" at the end of Chapter1, or click the Help button at the bottom of the window.

In the Name field, enter a name that uniquely identifies this IPSec policy. The name is not case-sensitive.

Click the Exclusive checkbox to enable it if you want to specify session-based keying. Leave the Exclusive checkbox unchecked if you want to specify host-based keying.

You can select session-based keying (check the Exclusive checkbox) only if the transform list does not contain Discard or Pass as the transform policy.

You must use session-based keying if the transform for the policy is not Pass or Discard, and the remote prefix length indicates a subnet (value of less than 32 for IPv4 or value of less than 128 for IPv6) or if the remote IP address is a wildcard (*). In this case, the Exclusive checkbox is selected and unmodifiable (grayed out).

Select the Policy Type (hashed or ordered) for this IPSec/9000 Policy. For more information, see "Policy Type" in the Configuration Reference section of this chapter.

Enter the IP Address and Prefix Length of your local system. You can use an IPv4 address or an IPv6 address.

The local IP address cannot be a broadcast, subnet broadcast, multicast, or anycast address. The local IP address must be in the same format (IPv4 or IPv6) as the remote IP address.

The Prefix Length field is disabled if the IP address is a wildcard *. Otherwise, it becomes enabled and is preset to the default of 32 if the local address is in IPv4 format or 128 if the local address is in IPv6 format.

	NOTE: The Prefix Length indicates the number of bits that must match when comparing an IP address of a packet to the IP address in the policy. For IPv4 addresses, a Prefix Length value of 32 indicates that all the bits in both addresses must match. This Prefix Length value is equivalent to an address mask of 255.255.255.255. For IPv6 addresses, a Prefix Length value of 128 indicates that all the bits in both addresses must match.

Enter the IP Address and Prefix Length of your remote system. You can use an IPv4 address or an IPv6 address.

The remote IP address cannot be a broadcast, subnet broadcast, multicast, or anycast address. The remote IP address must be in the same format (IPv4 or IPv6) as the local IP address.

The Prefix Length field is disabled if the IP address is a wildcard *. Otherwise, it becomes enabled and is preset to the default of 32 if the remote address is in IPv4 format or 128 if the remote address is in IPv6 format.

	NOTE: The Remote IP Address cannot be any IP address on the local host.

Check the Configure Policy Based on Service checkbox to configure the service and ports automatically. Choose the service you want to configure from the Service dropdown list. Specify whether the Direction is inbound or outbound in the Direction dropdown list.

If you do not select Configure Policy Based on Service, you must select a protocol, enter the local and remote port numbers, and indicate whether the direction is from Local to Remote, Remote to Local, or both.

	NOTE: If you are using IPv6 addresses, you cannot choose the IGMP protocol. Additionally, you cannot choose the ICMP protocol except in specific, limited circumstances. See the "Configuration Reference" at the end of this chapter or the Online Help for more information.

Go on to "Step 6B, Configuring an IPSec/9000 Policy: Transform List."