4. Choose whether to use a manual or a dynamic policy.
Using a Manual Key Policy
1. Enter a manual policy to configure.
2. Configure the policy.
484
G8264 Application Guide for ENOS 8.4
destination IP address|any
prefix length
Permitted traffic that matches the policy in force is encrypted, while denied traffic
that matches the policy in force is dropped. Traffic that does not match the policy
bypasses IPsec and passes through clear (unencrypted).
A manual policy involves configuring policy and manual SA entries for local and
remote peers.
To configure a manual key policy, you need:
The IP address of the peer in IPv6 format (for example, "3000::1").
Inbound/Outbound session keys for the security protocols.
You can then assign the policy to an interface. The peer represents the other end of
the security association. The security protocol for the session key can be either ESP
or AH.
To create and configure a manual policy:
RS G8264(config)#ipsec manualpolicy <policy number>
RS G8264(configipsecmanual)#peer <peer's IPv6 address>
RS G8264(configipsecmanual)#trafficselector <IPsec traffic selector>
RS G8264(configipsecmanual)#transformset <IPsec transform set>
RS G8264(configipsecmanual)#inah authkey <inbound AH IPsec key>
RS G8264(configipsecmanual)#inah authspi <inbound AH IPsec SPI>
RS G8264(configipsecmanual)#inesp cipherkey <inbound ESP cipher key>
RS G8264(configipsecmanual)#inesp authspi <inbound ESP SPI>
RS G8264(configipsecmanual)#inesp authkey <inbound ESP authenticator key>
RS G8264(configipsecmanual)#outah authkey <outbound AH IPsec key>
RS G8264(configipsecmanual)#outah authspi <outbound AH IPsec SPI>
RS G8264(configipsecmanual)#outesp cipherkey <outbound ESP cipher key>
RS G8264(configipsecmanual)#outesp authspi <outbound ESP SPI>
RS G8264(configipsecmanual)#outesp authkey <outbound ESP authenticator key>
where the following parameters are used:
peer's IPv6 address
IPsec traffic‐selector
IPsec of transform‐set
inbound AH IPsec key
inbound AH IPsec SPI
the destination IP address in IPv6 format or "any"
destination
(Optional) the length of the destination IPv6
prefix; an integer from 1‐128
The IPv6 address of the peer (for example,
3000::1)
A number from1‐10
A number from1‐10
The inbound AH key code, in hexadecimal
A number from 256‐4294967295