268
• The IPsec policies at the two ends must have IPsec transform sets that use the same security
protocols, security algorithms, and encapsulation mode.
• The remote IPv4 address configured on the local end must be the same as the primary IPv4
address of the interface applied with the IPsec policy at the remote end. The remote IPv6
address configured on the local end must be the same as the first IPv6 address of the interface
applied with the IPsec policy at the remote end.
• At each end, configure parameters for both the inbound SA and the outbound SA, and make
sure the SAs in each direction are unique: For an outbound SA, make sure its triplet (remote IP
address, security protocol, and SPI) is unique. For an inbound SA, make sure its SPI is unique.
• The local inbound SA must use the same SPI and keys as the remote outbound SA. The same
is true of the local outbound SA and remote inbound SA.
• The keys for the local and remote inbound and outbound SAs must be in the same format. For
example, if the local inbound SA uses a key in characters, the local outbound SA and remote
inbound and outbound SAs must use keys in characters.
Configuration procedure
To configure a manual IPsec policy:
1. Enter system view.
system-view
N/A
2. Create a manual IPsec
policy entry
its view.
ipsec
{
ipv6-policy
|
policy
}
policy-name seq-number
manual
By default, no IPsec policy exists.
3.
description for the IPsec
policy.
description
text
By default, no description is configured.
4. Specify an ACL for the
IPsec policy.
security
acl
[
ipv6
] { acl-number
|
name
acl-name }
By default, no ACL is specified for an
IPsec policy.
You can specify only one ACL for an
IPsec policy.
5. Specify
transform set
IPsec policy.
transform-set
transform-set-name
By default, no
specified for an IPsec policy.
You can specify only one IPsec
transform set for a manual IPsec policy.
6. Specify the remote IP
address of the IPsec
tunnel.
remote-address
{ ipv4-address |
ipv6
ipv6-address }
By default, the remote IP address of the
IPsec tunnel is not specified.
The
local IPv4 address of the IPsec
tunnel is the primary IPv4 address of the
interface to which the IPsec policy is
applied. The local IPv6 address of the
IPsec tunnel is the first IPv6 address of
the interface to which the IPsec policy is
applied.
7. Configure an SPI for the
inbound or outbound
IPsec SA.
• To configure an SPI for the
inbound IPsec SA:
sa spi inbound { ah | esp }
spi-number
• To configure an SPI for the
outbound IPsec SA:
sa spi outbound { ah |
} spi-number
By default, no SPI is configured for the
inbound or outbound IPsec SA.
To Next Page
Loading...
Need help?
General