HPE FlexFabric 7900 Series Security Configuration Manual page 121
Hide thumbs
Also See for FlexFabric 7900 Series:
- Layer 3 ip routing command reference (414 pages) ,
- Security configuration manual (323 pages) ,
- Security command reference (320 pages)
Table of Contents
Advertisement
•
An IKE-based IPsec policy can reference up to six IPsec transform sets. During an IKE
negotiation, IKE searches for a fully matched IPsec transform set at the two ends of the IPsec
tunnel. If no match is found, no SA can be set up, and the packets expecting to be protected will
be dropped.
•
The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is
optional on the responder. The remote IP address specified on the local end must be the same
as the local IP address specified on the remote end.
For an IPsec SA established through IKE negotiation:
•
The IPsec SA uses the local lifetime settings or those proposed by the peer, whichever are
smaller.
•
The IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA
expires when either lifetime expires.
Configuration procedure
Step
1.
Enter system view.
2.
Create an IKE-based IPsec
policy entry and enter its
view.
3.
(Optional.) Configure a
description for the IPsec
policy.
4.
Specify an ACL for the IPsec
policy.
5.
Specify IPsec transform sets
for the IPsec policy.
6.
Specify an IKE profile for the
IPsec policy.
7.
Specify the local IP address
of the IPsec tunnel.
8.
Specify the remote IP
Command
system-view
ipsec policy policy-name
seq-number isakmp
description text
security acl { acl-number | name
acl-name } [ aggregation |
per-host ]
transform-set
transform-set-name&<1-6>
ike-profile profile-name
local-address ipv4-address
remote-address { host-name |
113
Remarks
N/A
By default, no IPsec policy exists.
By default, no description is
configured.
By default, no ACL is specified for
the IPsec policy.
An IPsec policy can reference
only one ACL.
By default, the IPsec policy
references no IPsec transform
set.
By default, the IPsec policy
references no IKE profile, and the
device selects an IKE profile
configured in system view for
negotiation. If no IKE profile is
configured, the globally
configured IKE settings are used.
An IPsec policy can reference
only one IKE profile, and it cannot
reference any IKE profile that is
already referenced by another
IPsec policy.
For more information about IKE
profiles, see
"Configuring
By default, the local IPv4 address
of IPsec tunnel is the primary IPv4
address of the interface to which
the IPsec policy is applied.
The local IP address specified by
this command must be the same
as the IP address used as the
local IKE identity.
By default, the remote IP address
IKE."
Advertisement
Table of Contents
Troubleshooting
