Configuring A Manual Ipsec Policy - 3Com MSR 50 Series Configuration Manual

Configuring a Manual
IPSec Policy
mode. As for the latter, these parameters are automatically negotiated through
IKE.
You cannot change the generation mode of an existing IPSec policy; you can only
delete the policy and then re-create it with the new mode.
The IPSec policies manually configured at the two ends of an IPSec tunnel must
satisfy these requirements:
The IPSec proposals referenced by the IPSec policies must use the same security
■
protocol(s), security algorithms, and encapsulation mode.
For an IPSec tunnel, the remote IP address of the local end must be identical to
■
the local IP address of the remote end.
The SPI and keys of the inbound SA at the local end must match those of the
■
outbound SA at the remote end, and the SPI and keys of the outbound SA at
the local end must match those of the inbound SA at the remote end.
Both ends of an IPSec tunnel must be configured with the same key in the
■
same format.
Following these steps to configure an IPSec policy manually:
To do...
Enter system view
Manually create an IPSec policy
and enter its view
Specify the ACL for the IPSec
policy to reference
Specify the IPSec proposal(s) for
the IPSec policy to reference
Configure the Configure the
two ends of local address of
the IPSec the tunnel
tunnel
Configure the
remote address
of the tunnel
Configure the SPIs for the SAs
Configuring an IPSec Policy
Use the command...
system-view
ipsec policy policy-name
seq-number manual
security acl acl-number
proposal
proposal-name&<1-6>
tunnel local ip-address
tunnel remote ip-address
sa spi { inbound |
outbound } { ah | esp }
spi-number
1883
Remarks
-
Required
By default, no IPSec policy
exists.
Required
By default, an IPSec policy
references no ACL.
Required
By default, an IPSec policy
references no IPSec proposal.
Required
Not configured by default
Required
Not configured by default
Required