Snmp-Agent Trap Enable Ipsec - H3C MSR Series Command Reference Manual
Comware 7 security
Hide thumbs
Also See for MSR Series:
- Command reference manual (174 pages) ,
- Configuration manual (80 pages) ,
- Manual (33 pages)
Table of Contents
Advertisement
•
Aggregation mode—One IPsec tunnel protects all data flows permitted by all the rules of an
ACL. This mode is only used to communicate with old-version devices.
•
Per-host mode—One IPsec tunnel protects one host-to-host data flow. One host-to-host data
flow is identified by one ACL rule and protected by one IPsec tunnel established solely for it.
This mode consumes more system resources when multiple data flows exist between two
subnets to be protected.
A manual IPsec policy supports only the aggregation mode.
A GDOI-based IPsec policy supports only the standard mode. On a GM, do not configure permit
rules in the local ACL used by a GDOI-based IPsec policy. Otherwise, packets matching the permit
rules are dropped.
Examples
# Specify IPv4 advanced ACL 3001 for the IPsec policy policy1.
<Sysname> system-view
[Sysname] acl advanced 3001
[Sysname-acl-ipv4-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination
10.1.2.0 0.0.0.255
[Sysname-acl-ipv4-adv-3001] quit
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] security acl 3001
# Specify IPv4 advanced ACL 3002 for the IPsec policy policy2 and specify the data protection
mode as aggregation.
<Sysname> system-view
[Sysname] acl advanced 3002
[Sysname-acl-ipv4-adv-3002] rule 0 permit ip source 10.1.2.1 0.0.0.255 destination
10.1.2.2 0.0.0.255
[Sysname-acl-ipv4-adv-3002] rule 1 permit ip source 10.1.3.1 0.0.0.255 destination
10.1.3.2 0.0.0.255
[Sysname-acl-ipv4-adv-3002] quit
[Sysname] ipsec policy policy2 1 isakmp
[Sysname-ipsec-policy-isakmp-policy2-1] security acl 3002 aggregation
Related commands
display ipsec sa
display ipsec tunnel
snmp-agent trap enable ipsec
Use snmp-agent trap enable ipsec command to enable SNMP notifications for IPsec.
Use undo snmp-agent trap enable ipsec command to disable SNMP notifications for IPsec.
Syntax
snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | encrypt-failure | global |
invalid-sa-failure | no-sa-failure | policy-add | policy-attach | policy-delete | policy-detach
tunnel-start | tunnel-stop] *
undo snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | encrypt-failure | global |
invalid-sa-failure | no-sa-failure | policy-add | policy-attach | policy-delete | policy-detach
tunnel-start | tunnel-stop] *
Default
All SNMP notifications for IPsec are disabled.
568
Advertisement
Table of Contents
