H3C S5830V2 Security Configuration Manual page 266
Hide thumbs
Also See for S5830V2:
- Configuration manual (318 pages) ,
- Command reference manual (301 pages) ,
- Installation manual (63 pages)
Table of Contents
Advertisement
A device referencing an IPsec policy that is configured by using an IPsec policy template cannot initiate
an SA negotiation, but it can respond to a negotiation request. The parameters not defined in the
template are determined by the initiator. For example, in an IPsec policy template, the ACL is optional.
If you do not specify an ACL, the IPsec protection range has no limit. So the device accepts all ACL
settings of the negotiation initiator. When the remote end's information (such as the IP address) is
unknown, the IPsec policy configured by using this method allows the remote end to initiate negotiations
with the local end.
To configure an IKE-based IPsec policy by referencing an IPsec policy template:
Step
1.
Enter system view.
2.
Create an IPsec policy
template and enter its view.
3.
(Optional.) Configure a
description for the IPsec policy
template.
4.
(Optional.) Specify an ACL for
the IPsec policy template.
5.
Specify the IPsec transform
sets for the IPsec policy
template to reference.
6.
Specify the IKE profile for the
IPsec policy template to
reference.
7.
(Optional.) Specify the local
IP address of the IPsec tunnel.
8.
(Optional.) Specify the remote
IP address of the IPsec tunnel.
Command
system-view
ipsec { ipv6-policy-template |
policy-template } template-name
seq-number
description text
security acl [ ipv6 ] { acl-number |
name acl-name } [ aggregation |
per-host ]
transform-set
transform-set-name&<1-6>
ike-profile profile-name
local-address { ipv4-address | ipv6
ipv6-address }
remote-address { [ ipv6 ]
host-name | ipv4-address | ipv6
ipv6-address }
252
Remarks
N/A
By default, no IPsec policy template
exists.
By default, no description is
configured.
By default, no ACL is specified for
the IPsec policy template.
An IPsec policy template can
reference only one ACL.
By default, the IPsec policy
template references no IPsec
transform set.
By default, the IPsec policy
template references no IKE profile.
An IPsec policy template can
reference only one IKE profile and
it cannot reference any IKE profile
that is already referenced by other
IPsec policy templates or IPsec
policies.
For more information about IKE
profiles, see
"Configuring
By default, the local IPv4 address
of IPsec tunnel is the primary IPv4
address of the interface to which
the IPsec policy is applied, and the
local IPv4 address of the IPsec
tunnel is the first IPv6 address of the
interface to which the IPsec policy
is applied.
The local IP address specified by
this command must be the same as
the IP address used as the local IKE
identity.
By default, the remote IP address of
the IPsec tunnel is not specified.
IKE."
Advertisement
Table of Contents
Troubleshooting
