349
Ste
Command
Remar
6. Specify an IKE peer for
the IPsec policy.
ike-peer peer-name
An IPsec policy cannot reference any IKE
peer that is already referenced by an IPsec
profile, and vice versa.
7. Enable and configure the
perfect forward secrecy
feature for the IPsec
policy.
pfs { dh-group2 | dh-group5 |
dh-group14 }
Optional.
By default, the PFS feature is not used for
negotiation.
For more information about PFS, see the
chapter "IKE configuration."
8. Set the SA lifetime.
sa duration { time-based
seconds | traffic-based
kilobytes }
Optional.
By default, the global SA lifetime is used.
9. Enable the IPsec policy.
policy enable
Optional.
Enabled by default.
10. Return to system view.
quit N/A
11. Set the global SA lifetime.
ipsec sa global-duration
{ time-based seconds |
traffic-based kilobytes }
Optional.
3600 seconds for time-based SA lifetime
by default.
1843200 kilobytes for traffic-based SA
lifetime by default.
With SAs to be established through IKE negotiation, an IPsec policy can reference up to six IPsec
transform sets. During negotiation, IKE searches for a fully matched IPsec transform set at the two ends of
the expected IPsec tunnel. If no match is found, no SA can be set up and the packets expecting to be
protected will be dropped.
During IKE negotiation for an IPsec policy with PFS enabled, an additional key exchange is performed.
If the local end uses PFS, the remote end must also use PFS for negotiation and both ends must use the
same DH group. Otherwise, the negotiation will fail.
An SA uses the global lifetime settings when it is not configured with lifetime settings in IPsec policy view.
When negotiating to set up SAs, IKE uses the local lifetime settings or those proposed by the peer,
whichever are smaller.
You cannot change the creation mode of an IPsec policy from IKE to manual, or vice versa. To create a
manual IPsec policy, delete the IKE-mode IPsec policy, and then configure the manual IPsec policy.
Applying an IPsec policy group to an interface
An IPsec policy group is a collection of IPsec policies with the same name but different sequence numbers.
In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.
You can apply an IPsec policy group to a logical or physical interface to protect certain data flows. To
cancel the IPsec protection, remove the application of the IPsec policy group.
For each packet to be sent out an IPsec protected interface, the system looks through the IPsec policies in
the IPsec policy group in ascending order of sequence numbers. If an IPsec policy matches the packet,
the system uses the IPsec policy to protect the packet. If no match is found, the system sends the packet out
without IPsec protection.
To apply an IPsec policy group to an interface:
To Next Page
Loading...
