HPE Moonshot 45Gc Security Configuration Manual page 283

Configuring an IKE-based IPsec policy by referencing an IPsec policy template
The configurable parameters for an IPsec policy template are the same as those when you directly
configure an IKE-based IPsec policy. The difference is that more parameters are optional for an
IPsec policy template. Except the IPsec transform sets and the IKE profile, all other parameters are
optional.
A device referencing an IPsec policy that is configured by using an IPsec policy template cannot
initiate an SA negotiation, but it can respond to a negotiation request. The parameters not defined in
the template are determined by the initiator. For example, in an IPsec policy template, the ACL is
optional. If you do not specify an ACL, the IPsec protection range has no limit. So the device accepts
all ACL settings of the negotiation initiator. When the remote end's information (such as the IP
address) is unknown, the IPsec policy configured by using this method allows the remote end to
initiate negotiations with the local end.
To configure an IKE-based IPsec policy by referencing an IPsec policy template:
Step
1. Enter system view.
2. Create an IPsec policy
template and enter its view.
3. (Optional.) Configure a
description for the IPsec
policy template.
4. (Optional.) Specify an ACL
for the IPsec policy template.
5. Specify the IPsec transform
sets for the IPsec policy
template to reference.
6. Specify the IKE profile for the
IPsec policy template to
reference.
7. Specify an IKEv2 profile for
the IPsec policy template.
8. (Optional.) Specify the local
IP address of the IPsec
tunnel.
Command
system-view
ipsec { ipv6-policy-template |
policy-template } template-name
seq-number
description text
security acl [ ipv6 ] { acl-number |
name acl-name } [ aggregation |
per-host ]
transform-set
transform-set-name&<1-6>
ike-profile profile-name
ikev2-profile profile-name
local-address { ipv4-address |
ipv6 ipv6-address }
270
Remarks
N/A
By default, no IPsec policy
template exists.
By default, no description is
configured.
By default, no ACL is specified for
the IPsec policy template.
An IPsec policy template can
reference only one ACL.
By default, the IPsec policy
template references no IPsec
transform set.
By default, the IPsec policy
template references no IKE
profile.
An IPsec policy template can
reference only one IKE profile and
it cannot reference any IKE profile
that is already referenced by
another IPsec policy template or
IPsec policy.
For more information about IKE
profiles, see "Configuring
By default, no IKEv2 profile is
specified for an IPsec policy
template.
You can specify only one IKEv2
profile for an IPsec policy
template.
For more information about IKEv2
profiles, see "Configuring
By default, the local IPv4 address
of IPsec tunnel is the primary IPv4
address of the interface to which
the IPsec policy is applied, and
the local IPv6 address of the
IPsec tunnel is the first IPv6
IKE."
IKEv2."