Table of Contents
Advertisement
At an interface, only one IPSec policy group can be applied. An IPSec policy group
can only be applied at one interface.
When a packet is sent from an interface, it displays for every IPSec policy in the
IPSec policy group by number in an ascending order. If the packet matches an
access control list used by an IPSec policy, then this IPSec policy is used to process
the packet; otherwise it continues to display for the next IPSec policy. If the packet
does not match any of the access control lists used by all the IPSec policies, it will be
directly transmitted (that is, IPSec will not protect the packet).
To prevent transmitting any unencrypted packet from the interface, it is necessary to
use the firewall together with IPSec; the firewall is for dropping all the packets that do
not need to be encrypted.
The IPSec policy group being applied at the interface must be deleted before another
group is applied at the interface.
For related commands, see ipsec policy (system view).
Example
# Apply an IPSec policy whose name is policy1 at Serial 0.
[3Com]ipsec policy policy1 100 manual
[3Com]interface serial 0
[3Com-Serial0]ipsec policy policy1
4.1.27 ipsec policy (system view)
Syntax
ipsec policy policy-name sequence-number [ manual | isakmp ]
un ipsec policy policy-name [sequence-number]
View
System view
Parameter
policy-name: Name of the IPSec policy. Ranging 1 to 30 characters.
sequence-number: Sequence number of the crypt map. Ranging 0 to 10000.
manual: Setting up SA manually.
isakmp: Setting up SA through IKE negotiation.
Security
69
- Quick Links:
- Command Line Interface Commands
Hide quick links:
Advertisement
Chapters
Table of Contents
