To Next Page

To Previous Page

280

• An SA uses the global lifetime settings when it is not configured with lifetime settings in IPsec policy

view. When negotiating to set up SAs, IKE uses the local lifetime settings or those proposed by the

peer, whichever are smaller.

• You cannot change the creation mode of an IPsec policy directly. To create an IPsec policy in

another creation mode, delete the current one and then configure a new IPsec policy.

To directly configure an IPsec policy that uses IKE:

Ste

Command

Remar

1. Enter system view. system-view N/A

2. Create an IPsec policy

that uses IKE and enter its

view.

ipsec policy policy-name

seq-number isakmp

By default, no IPsec policy exists.

3. Configure an IPsec

connection name.

connection-name name

Optional.

By default, no IPsec connection name is

configured.

4. Assign an ACL to the IPsec

policy.

security acl acl-number

By default, an IPsec policy references no

ACL.

An IPsec policy can reference only one

ACL. If you specify multiple ACLs for an

IPsec policy, only the last specified ACL

takes effect.

5. Assign IPsec proposals to

the IPsec policy.

proposal

proposal-name&<1-6>

By default, an IPsec policy references no

IPsec proposal.

6. Specify an IKE peer for

the IPsec policy.

ike-peer peer-name

An IPsec policy cannot reference any IKE

peer that is already referenced by an IPsec

profile, and vice versa.

7. Enable and configure the

perfect forward secrecy

feature for the IPsec

policy.

pfs dh-group14

Optional.

By default, the PFS feature is not used for

negotiation.

For more information about PFS, see the

chapter "IKE configuration."

8. Set the SA lifetime.

sa duration { time-based

seconds | traffic-based

kilobytes }

Optional.

By default, the global SA lifetime is used.

9. Enable the IPsec policy. policy enable

Optional.

Enabled by default.

10. Return to system view.

quit N/A

11. Set the global SA lifetime.

ipsec sa global-duration

{ time-based seconds |

traffic-based kilobytes }

Optional.

3600 seconds for time-based SA lifetime

by default.

1843200 kilobytes for traffic-based SA

lifetime by default.

With SAs to be established through IKE negotiation, an IPsec policy can reference up to six IPsec

transform sets. During negotiation, IKE searches for a fully matched IPsec transform set at the two ends of

Brand	HP
Model	3600 v2 Series
Category	Switch
Language	English

HP 3600 v2 Series Configuration Guide

Table of Contents

Other manuals for HP 3600 v2 Series

Questions and Answers:

HP 3600 v2 Series Specifications

Related product manuals