Configuring A Manual Ipsec Policy - H3C S5830V2 Security Configuration Manual
Hide thumbs
Also See for S5830V2:
- Configuration manual (318 pages) ,
- Command reference manual (301 pages) ,
- Installation manual (63 pages)
Table of Contents
Advertisement
Step
6.
(Optional.) Enable the Perfect
Forward Secrecy (PFS) feature
for the IPsec policy.
Configuring a manual IPsec policy
In a manual IPsec policy, the parameters are configured manually, such as the keys, the SPIs, and the IP
addresses of the two ends in tunnel mode.
Configuration restrictions and guidelines
Make sure the IPsec configurations at the two ends of an IPsec tunnel meet the following requirements:
The IPsec policies at the two ends must have IPsec transform sets that use the same security protocols,
•
security algorithms, and encapsulation mode.
•
The remote IPv4 address configured on the local end must be the same as the primary IPv4 address
of the interface applied with the IPsec policy at the remote end. The remote IPv6 address configured
on the local end must be the same as the first IPv6 address of the interface applied with the IPsec
policy at the remote end.
At each end, configure parameters for both the inbound SA and the outbound SA, and make sure
•
the SAs in each direction are unique: For an outbound SA, make sure its triplet (remote IP address,
security protocol, and SPI) is unique. For an inbound SA, make sure its SPI is unique.
The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true
•
of the local outbound SA and remote inbound SA.
•
The keys for the local and remote inbound and outbound SAs must be in the same format. For
example, if the local inbound SA uses a key in characters, the local outbound SA and remote
inbound and outbound SAs must use keys in characters.
Configuration procedure
To configure a manual IPsec policy:
Step
1.
Enter system view.
2.
Create a manual IPsec
policy entry and enter its
view.
3.
(Optional.) Configure a
description for the IPsec
policy.
Command
•
In non-FIPS mode:
pfs { dh-group1 | dh-group2 |
dh-group5 | dh-group14 |
dh-group24 }
•
In FIPS mode:
pfs dh-group14
Command
system-view
ipsec { ipv6-policy | policy }
policy-name seq-number manual
description text
248
Remarks
By default, the PFS feature is not
used for SA negotiation.
For more information about PFS,
see
"Configuring
IKE."
The security level of local
Diffie-Hellman group must be
higher than or equal that of the
peer.
The end without the PFS feature
performs SA negotiation according
to the PFS requirements of the peer
end.
Remarks
N/A
By default, no IPsec policy exists.
By default, no description is configured.
Advertisement
Table of Contents
Troubleshooting
