3Com 3C13636 Configuration Manual page 1123

3Com Router 3000 Ethernet Family
Configuration Guide
Table 7-14 Reference ACL in the IPSec policy
Reference an ACL in the IPSec policy
Remove the ACL referenced by the IPSec policy
One IPSec policy can reference only one access control list. If the IPSec policy has
referenced more than one ACLs, only the one configured last is valid.
In the event of setting up an SA by making use of IKE (isakmp) negotiation, each IPSec
policy can reference up to six IPSec proposals. When making an IKE negotiation, the
systems at the two ends of the security tunnel will look up the configured IPSec
proposals for a match. If no match is found, the setup attempt of SA will fail and the
packets requiring protection will be dropped.
4) Referencing an IKE peer in the IPSec policy
In IKE negotiation mode, these parameters such as peer, SPI and key can be obtained
through negotiation, so you only need to associate IPSec policy with IKE peer.
Perform the following configurations in IPSec policy view.
Table 7-15 Reference an ACL in the IPSec policy
Reference an IKE peer in the IPSec policy.
Remove the referenced IKE peer from the IPSec
policy.
Note:
This section only discusses importing IKE peer for IPSec, but in practice other
parameters also need to be configured in IKE Peer view, including IKE negotiation
mode, ID type, NAT traversal, shared key, peer IP address, peer name etc. Refer to the
next chapter for such details.
5) Configuring SA duration (lifetime) (optional)
a. Configuring global SA lifetime
All the SAs that have not been configured separately with a lifetime in IPSec policy view
adopt the global lifetime. In the SA negotiation via IKE, the lifetime configured at the
local or at the peer will be adopted, whichever is smaller.
There are two types of lifetime: "time-based" lifetime and "traffic-based" lifetime. The
expiration of either type of lifetime will render an SA useless. Before it goes invalid, IKE
Operation
Operation
3Com Corporation
7-19
Chapter 7 IPSec Configuration
Command
security acl acl-number
undo security acl
Command
ike peer peer-name
undo ike peer peer-name