Huawei AR1200 series Configuration Manual page 300

Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
Context
When configuring SPI, string authentication key (string-key), hexadecimal authentication key
(authentication-hex), and hexadecimal encryption key (encryption-hex) on two ends of an
IPSec tunnel, ensure that the inbound parameters on the local end are the same as the outbound
parameters on the remote end, and the outbound parameters on the local end are the same as the
inbound parameters on the remote end.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ipsec policy policy-name seq-number manual
An IPSec policy is created.
An IPSec policy group can contain up to 10000 IPSec policies. By default, no IPSec policy
exists.
Step 3 Run:
security acl acl-number
An ACL is applied to the IPSec policy.
An IPSec policy can use only one ACL. If more than one ACL is applied to the IPSec policy,
the last configured ACL takes effect.
Step 4 Run:
proposal proposal-name
An IPSec proposal is applied to the IPSec policy.
If the manual mode is used, an IPSec policy can use only one proposal. If an IPSec proposal has
been applied to the IPSec policy, cancel the existing proposal before applying a new one to the
IPSec policy. In addition, the IPSec proposals applied on the two ends of a tunnel must have the
same security protocol, algorithm, and packet encapsulation mode.
Step 5 Run:
tunnel local ip-address
The IP address of the local end is configured.
Step 6 Run:
tunnel remote ip-address
The IP address of the remote end is configured.
Step 7 Run:
sa spi inbound { ah | esp } spi-number
The SPI of the inbound SA is configured.
Issue 01 (2012-04-20)
CAUTION
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
5 IPSec Configuration
289