Configuring An Ike-Based Ipsec Policy - HPE FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Security command reference (881 pages) ,
- Network management and monitoring command reference (423 pages) ,
- Configuration manual (407 pages)
Table of Contents
Advertisement
Configuring an IKE-based IPsec policy
In an IKE-based IPsec policy, the parameters are automatically negotiated through IKE.
To configure an IKE-based IPsec policy, use one of the following methods:
•
Directly configure it by configuring the parameters in IPsec policy view.
•
Configure it by using an existing IPsec policy template with the parameters to be negotiated
configured.
A device using an IPsec policy that is configured in this way cannot initiate an SA negotiation,
but it can respond to a negotiation request. The parameters not defined in the template are
determined by the initiator. When the remote end's information (such as the IP address) is
unknown, this method allows the remote end to initiate negotiations with the local end.
Configuration restrictions and guidelines
When you configure an IKE-based IPsec policy, follow these restrictions and guidelines:
•
The IPsec policies at the two tunnel ends must have IPsec transform sets that use the same
security protocols, security algorithms, and encapsulation mode.
•
The IPsec policies at the two tunnel ends must have the same IKE profile parameters.
•
An IKE-based IPsec policy can use a maximum of six IPsec transform sets. During an IKE
negotiation, IKE searches for a fully matched IPsec transform set at the two ends of the IPsec
tunnel. If no match is found, no SA can be set up, and the packets expecting to be protected will
be dropped.
•
The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is
optional on the responder. The remote IP address specified on the local end must be the same
as the local IP address specified on the remote end.
•
The IPsec SA uses the local lifetime settings or those proposed by the peer, whichever are
smaller.
•
The IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA
expires when either lifetime expires.
Directly configuring an IKE-based IPsec policy
Step
1.
Enter system view.
2.
Create an IKE-based IPsec
policy entry and enter its
view.
3.
(Optional.) Configure a
description for the IPsec
policy.
4.
Specify an ACL for the IPsec
policy.
5.
Specify IPsec transform sets
for the IPsec policy.
Command
system-view
ipsec { ipv6-policy | policy }
policy-name seq-number isakmp
description text
security acl { acl-number | name
acl-name } [ aggregation |
per-host ]
transform-set
transform-set-name&<1-6>
341
Remarks
N/A
By default, no IPsec policies exist.
By default, no description is
configured.
By default, no ACL is specified for
an IPsec policy.
You can specify only one ACL for
an IPsec policy.
By default, no IPsec transform
sets are specified for an IPsec
policy.
Advertisement
Table of Contents
Troubleshooting
