Table of Contents
Advertisement
1886
C
100: IPS
HAPTER
EC
n
C
ONFIGURATION
To do...
Specify the IPSec proposal(s)
for the IPSec policy to
reference
Specify the IKE for the IPSec
policy to reference
Enable and configure the
perfect forward secrecy
feature for the IPSec policy
Configure SA lifetime
Return to system view
Configure the global SA
lifetime
Create an IPSec policy by
referencing the IPSec policy
template
You cannot change the parameters of an IPSec policy created by referencing an
■
IPSec policy template directly in IPSec policy view. You can perform the required
changes in IPSec policy template view.
An IPSec policy can reference only one ACL. If you apply multiple ACLs to an
■
IPSec policy, only the last one takes effect.
For SAs established through IKE negotiation, an IPSec policy can reference up
■
to six IPSec proposals. IKE will search for a fully matched IPSec proposal at the
two ends of the expected IPSec tunnel. If no match is found, no SA can be set
up and the packets expecting to be protected will be dropped.
When IKE applies an IPSec policy with PFS to initiate a negotiation, an
■
additional key exchange is performed. If the local end adopts PFS, the remote
end must also adopt PFS for negotiation. Both ends must specify the same
Diffie-Hellman (DH) group; otherwise, the negotiation between them will fail.
The PFS feature allows IPSec to perform an additional key exchange process
■
during the negotiation phase 2, providing an additional level of security.
An SA uses the global lifetime when it is not configured with a lifetime in IPSec
■
policy view. When negotiating to set up SAs, IKE uses the smaller one between
the lifetime set locally and the lifetime proposed by the peer..
Use the command...
proposal
proposal-name&<1-6>
ike-peer peer-name
pfs { dh-group1 |
dh-group2 | dh-group5 |
dh-group14 }
sa duration { time-based
seconds | traffic-based
kilobytes }
quit
ipsec sa global-duration
{ time-based seconds |
traffic-based kilobytes }
ipsec policy policy-name
seq-number isakmp
template template-name
Remark
Required
By default, an IPSec policy
references no IPSec proposal.
Required
Optional
By default, the PFS feature is not
used for negotiation.
For information about PFS, refer
to
"Security Mechanisms of IKE"
on page
1901.
Optional
3,600 seconds for time-based SA
lifetime by default
1,843,200 kilobytes for
traffic-based SA lifetime by
default
-
Optional
3,600 seconds for time-based SA
lifetime by default
1,843,200 kilobytes for
traffic-based SA lifetime by
default
Required
By default, no IPSec policy exists.
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
