HP 5920 Series Configuration Manual page 242

The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is optional
•
on the responder. The remote IP address specified on the local end must be the same as the local
IP address specified on the remote end.
For an IPsec SA established through IKE negotiation:
The IPsec SA uses the local lifetime settings or those proposed by the peer, whichever are smaller.
•
The IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires
•
when either lifetime expires.
Directly configuring an IKE-based IPsec policy
Step
1. Enter system view.
2. Create an IKE-based IPsec
policy entry and enter its view.
3. (Optional.) Configure a
description for the IPsec
policy.
4. Specify an ACL for the IPsec
policy.
5. Specify IPsec transform sets
for the IPsec policy.
6. Specify an IKE profile for the
IPsec policy.
Command
system-view
ipsec { ipv6-policy | policy }
policy-name seq-number isakmp
description text
security acl [ ipv6 ] { acl-number |
name acl-name } [ aggregation |
per-host ]
transform-set
transform-set-name&<1-6>
ike-profile profile-name
231
Remarks
N/A
By default, no IPsec policy exists.
By default, no description is
configured.
By default, no ACL is specified for
the IPsec policy.
An IPsec policy can reference only
one ACL.
By default, the IPsec policy
references no IPsec transform set.
By default, the IPsec policy
references no IKE profile, and the
device selects an IKE profile
configured in system view for
negotiation. If no IKE profile is
configured, the globally
configured IKE settings are used.
An IPsec policy can reference only
one IKE profile, and it cannot
reference any IKE profile that is
already referenced by another
IPsec policy or IPsec policy
template.
For more information about IKE
profiles, see "Configuring IKE."