H3C SecPath F1800-A Operation Manual page 532

Operation Manual - VPN
H3C SecPath F1800-A Firewall
Table 3-7 Setting ACL for IPSec policy
Set ACL for IPSec policy.
Cancel ACL for IPSec policy.
An IPSec policy can apply an ACL rule only. If more than one ACL rules are applied to
an IPSec policy, the latest one will take effect.
III. Applying IPSec Proposal to IPSec Policy
The IPSec protocol, algorithm and packet encapsulation mode in an IPSec policy are
determined based on an existing IPSec proposal.
Do as follows in IPSec policy view.
Table 3-8 Applying IPSec proposal to IPSec policy
Apply IPSec proposal to IPSec
policy.
Cancel IPSec proposal to
IPSec policy.
An IPSec policy can only apply an IPSec proposal only when you create an SA
manually. So you should remove the old IPSec proposal to apply a new one.
Moreover, the IPSec proposals applied on the two ends of the tunnel should be
configured with the same security protocol, algorithm and packet encapsulation
mode.
When you create an SA by IKE negotiation (isakmp), an IPSec policy can apply up to
6 IPSec proposals. IKE negotiation searches for fully matched IPSec proposals on the
two ends of the tunnel. If no fully matched IPSec proposal is found, the SA cannot be
created and the packet will be dropped.
IV. Configuring Life Duration for SA
If an SA is not configured with a separate life duration, it applies the global life duration.
The details about the global life duration of an SA will be introduced later.
There are two types of life duration:
Time-based life duration
Traffic-based life duration
The SA will be invalid if either life duration expires. Before the SA is invalid, IKE will
create a new SA for IPSec.
Action
Action
proposal proposal-name&<1-6>
undo proposal [ proposal-name ]
7-52
Chapter 3 IPSec Configuration
Command
security acl acl-number
undo security acl
Command