To do...
6.
Enable and configure the
perfect forward secrecy
feature for the IPsec policy.
7.
Configure the SA lifetime.
8.
Enable the IPsec policy.
9.
Return to system view.
10.
Configure the global SA
lifetime.
11.
Create an IPsec policy by
referencing an IPsec policy
template.
NOTE:
You cannot change the parameters of an IPsec policy created by referencing an IPsec policy template
•
directly in IPsec policy view. perform the required changes in IPsec policy template view.
An IPsec policy can reference only one ACL. If you apply multiple ACLs to an IPsec policy, only the
•
last one takes effect.
With SAs to be established through IKE negotiation, an IPsec policy can reference up to six IPsec
•
proposals. During negotiation, IKE searches for a fully matched IPsec proposal at the two ends of the
expected IPsec tunnel. If no match is found, no SA can be set up and the packets expecting to be
protected are dropped.
During IKE negotiation for an IPsec policy with PFS enabled, an additional key exchange is
•
performed. If the local end uses PFS, the remote end must also use PFS for negotiation, and both ends
must use the same DH group. Otherwise, the negotiation fails.
set both the time-based SA lifetime and the traffic-based SA lifetime. Once the time-based lifetime or
•
traffic-based lifetime of an SA elapses, the SA is aged.
An SA uses the global lifetime settings when it is not configured with lifetime settings in IPsec policy
•
view. When negotiating to set up SAs, IKE uses the local lifetime settings or those proposed by the
peer, whichever are smaller.
You cannot change the creation mode of an IPsec policy between the two, direct configuration and
•
configuration by referencing an IPsec policy template. To create an IPsec policy in another creation
mode, delete the current one, and then configure a new IPsec policy.
Command...
pfs { dh-group1 | dh-group2 |
dh-group5 | dh-group14 }
sa duration { time-based seconds
| traffic-based kilobytes }
policy enable
quit
ipsec sa global-duration { time-
based seconds | traffic-based
kilobytes }
ipsec policy policy-name seq-
number isakmp template template-
name
258
Remark
Optional.
By default, the PFS feature is not
used for negotiation.
For more information, see
"Configuring
IKE."
Optional.
By default, the global SA lifetime
settings are used.
Optional.
Enabled by default.
—
Optional.
3600 seconds for time-based SA
lifetime by default.
1,843,200 kilobytes for traffic-
based SA lifetime by default.
Required.
By default, no IPsec policy exists.