Table of Contents
Advertisement
S9700 Core Routing Switch
Configuration Guide - SPU
An IPSec policy group can contain up to 10000 IPSec policies. By default, no IPSec policy
exists.
Step 3 Run:
security acl acl-number
An ACL is applied to the IPSec policy.
An IPSec policy can use only one ACL. If more than one ACL is applied to the IPSec policy,
the last configured ACL takes effect.
Step 4 Run:
proposal proposal-name
An IPSec proposal is applied to the IPSec policy.
If the manual mode is used, an IPSec policy can use only one proposal. If an IPSec proposal has
been applied to the IPSec policy, cancel the existing proposal before applying a new one to the
IPSec policy. In addition, the IPSec proposals applied on the two ends of a tunnel must have the
same security protocol, algorithm, and packet encapsulation mode.
Step 5 Run:
tunnel local ip-address
The IP address of the local end is configured.
Step 6 Run:
tunnel remote ip-address
The IP address of the remote end is configured.
Step 7 Run:
sa spi { inbound | outbound } { ah | esp } spi-number
The SPI of the SA is configured.
When configuring an SA, set both inbound and outbound parameters.
To manually create an IPSec tunnel, use the sa spi command together with the sa string-key,
sa authentication-hex, or sa encryption-hex command.
The SA parameters on two ends of a tunnel must match each other. The inbound SPI of the local
end must be the same as the outbound SPI of the remote end, and the outbound SPI of the local
end must be the same as the inbound SPI of the remote end.
Step 8 (Optional) Run:
sa authentication-hex { inbound | outbound } { ah | esp } hex-key
The authentication key (a hexadecimal number) of the security protocol is configured.
Step 9 (Optional) Run:
sa string-key { inbound | outbound } { ah | esp } string-key
The authentication key (a character string) of the security protocol is configured.
Issue 01 (2012-03-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4 IPSec Configuration
118
Advertisement
Table of Contents
