Optional) Configuring An Ipsec Policy Template - Huawei quidway s7700 Configuration Manual

Quidway S7700 Smart Routing Switch
Configuration Guide - SPU
Step 4 Run:
security acl acl-number
An ACL is applied to the IPSec policy.
Step 5 (Optional) Run:
sa trigger-mode { auto | traffic-based }
The SA triggering mode is configured.
After IKE negotiation phase 1 succeeds, the IPSec SA is established in the specified triggering
mode. In automatic triggering mode, the IPSec SA is established immediately after IKE
negotiation phase 1 succeeds. In traffic-based triggering mode, the IPSec SA is established only
after packets are received.
By default, the automatic triggering mode is used.
Step 6 (Optional) Run:
sa duration { traffic-based kilobytes | time-based interval }
The SA lifetime is set.
l In IKEv1, the IKE peers compare the lifetime set in their IPSec proposals and use the smaller
l In IKEv2, the IKE peers do not negotiate the SA lifetime. Instead, they use the locally set
l The default IPSec SA lifetime is 3600 seconds, and the default traffic volume is 1843200
Step 7 Run:
ike-peer peer-name
An IKE peer is applied to the IPSec policy.
Step 8 (Optional) Run:
pfs { dh-group1 | dh-group2 }
The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured.
If PFS is specified on the local end, you also need to specify PFS on the remote peer. The Diffie-
Hellman group specified on the two ends must be the same; otherwise, the negotiation fails. If
the remote end uses the template mode, the Diffie-Hellman groups can be different.
----End

4.4.7 (Optional) Configuring an IPSec Policy Template

An IPSec policy template can be used to configure multiple IPSec policies, thus reducing the
workload of establishing multiple IPSec tunnels.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
Issue 01 (2011-07-15)
value as the IPSec SA lifetime.
SA lifetime.
kilobytes.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4 IPSec Configuration
125