348
NOTE:
You cannot change the creation mode of an IPsec policy from manual to through IKE, or vice versa. To
create an IPsec policy that uses IKE, delete the manual IPsec policy, and then use IKE to confi
ure an IPsec
policy.
Configuring an IPsec policy that uses IKE
To configure an IPsec policy that uses IKE, directly configure it by configuring the parameters in IPsec
policy view.
Before you configure an IPsec policy that uses IKE, configure the ACLs and the IKE peer for the IPsec
policy.
The parameters for the local and remote ends must match.
When you configure an IPsec policy that uses IKE, follow these guidelines:
• An IPsec policy can reference only one ACL. If you apply multiple ACLs to an IPsec policy, only the
last one takes effect.
• With SAs to be established through IKE negotiation, an IPsec policy can reference up to six IPsec
proposals. During negotiation, IKE searches for a fully matched IPsec proposal at the two ends of
the expected IPsec tunnel. If no match is found, no SA can be set up and the packets expecting to
be protected will be dropped.
• During IKE negotiation for an IPsec policy with PFS enabled, an additional key exchange is
performed. If the local end uses PFS, the remote end must also use PFS for negotiation and both
ends must use the same Diffie-Hellman (DH) group; otherwise, the negotiation will fail.
• An SA uses the global lifetime settings when it is not configured with lifetime settings in IPsec policy
view. When negotiating to set up SAs, IKE uses the local lifetime settings or those proposed by the
peer, whichever are smaller.
• You cannot change the creation mode of an IPsec policy directly. To create an IPsec policy in
another creation mode, delete the current one and then configure a new IPsec policy.
To directly configure an IPsec policy that uses IKE:
Ste
Command
Remar
1. Enter system view.
system-view N/A
2. Create an IPsec policy
that uses IKE and enter its
view.
ipsec policy policy-name
seq-number isakmp
By default, no IPsec policy exists.
3. Configure an IPsec
connection name.
connection-name name
Optional.
By default, no IPsec connection name is
configured.
4. Assign an ACL to the IPsec
policy.
security acl acl-number
By default, an IPsec policy references no
ACL.
An IPsec policy can reference only one
ACL. If you specify multiple ACLs for an
IPsec policy, only the last specified ACL
takes effect.
5. Assign IPsec proposals to
the IPsec policy.
proposal
proposal-name&<1-6>
By default, an IPsec policy references no
IPsec proposal.
To Next Page
Loading...
