Configuring An Ike-Based Ipsec Policy - H3C S5830V2 Security Configuration Manual
Hide thumbs
Also See for S5830V2:
- Configuration manual (318 pages) ,
- Command reference manual (301 pages) ,
- Installation manual (63 pages)
Table of Contents
Advertisement
Configuring an IKE-based IPsec policy
In an IKE-based IPsec policy, the parameters are automatically negotiated through IKE.
To configure an IKE-based IPsec policy, use one of the following methods:
Directly configure it by configuring the parameters in IPsec policy view.
•
Configure it by referencing an existing IPsec policy template with the parameters to be negotiated
•
configured.
A device referencing an IPsec policy that is configured in this way cannot initiate an SA
negotiation, but it can respond to a negotiation request. The parameters not defined in the
template are determined by the initiator. When the remote end's information (such as the IP
address) is unknown, this method allows the remote end to initiate negotiations with the local end.
Configuration restrictions and guidelines
To guarantee successful SA negotiations, make sure the IPsec configurations at the two ends of an IPsec
tunnel meet the following requirements:
The IPsec policies at the two tunnel ends must have IPsec transform sets that use the same security
•
protocols, security algorithms, and encapsulation mode.
The IPsec policies at the two tunnel ends must have the same IKE profile parameters.
•
•
An IKE-based IPsec policy can reference up to six IPsec transform sets. During an IKE negotiation,
IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no match
is found, no SA can be set up, and the packets expecting to be protected will be dropped.
The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is optional
•
on the responder. The remote IP address specified on the local end must be the same as the local
IP address specified on the remote end.
For an IPsec SA established through IKE negotiation:
The IPsec SA uses the local lifetime settings or those proposed by the peer, whichever are smaller.
•
•
The IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires
when either lifetime expires.
Directly configuring an IKE-based IPsec policy
Step
1.
Enter system view.
2.
Create an IKE-based IPsec
policy entry and enter its view.
3.
(Optional.) Configure a
description for the IPsec
policy.
4.
Specify an ACL for the IPsec
policy.
Command
system-view
ipsec { ipv6-policy | policy }
policy-name seq-number isakmp
description text
security acl [ ipv6 ] { acl-number |
name acl-name } [ aggregation |
per-host ]
250
Remarks
N/A
By default, no IPsec policy exists.
By default, no description is
configured.
By default, no ACL is specified for
the IPsec policy.
An IPsec policy can reference only
one ACL.
Advertisement
Table of Contents
Troubleshooting
