271
address of the interface to which
the IPsec policy is applied.
The local IP address specified by
this command must be the same
as the IP address used as the
local IKE identity.
9.
address of the IPsec tunnel.
remote-address
{ [
ipv6
]
host-name | ipv4-address |
ipv6
ipv6-address }
By default, the remote IP address
of the IPsec tunnel is not
specified.
10. Set the IPsec SA lifetime.
sa
duration
{
time-based
seconds |
traffic-based
kilobytes }
By default, the global SA lifetime
is used.
11. (Optional.) Set the IPsec SA
idle timeout.
sa idle-time
seconds
By
default, the global SA idle
timeout is used.
12. (Optional.) Enable the Traffic
Flow Confidentiality (TFC)
padding feature.
tfc enable
The
tfc enable
command is
available in Release 1121 and
later.
B
y default, the TFC padding
feature is disabled.
13. Return to system view.
N/A
14. Set the global SA lifetime.
ipsec
sa
global-duration
{
time-based
seconds |
traffic-based
kilobytes }
By default, the time-
lifetime is 3600 seconds, and the
traffic-
1843200 kilobytes.
15. (Optional.) Enable the global
feature
SA idle timeout.
ipsec sa idle-time
seconds
By default, the global IPsec SA
idle timeout feature is disabled.
Configuring an IKE-based IPsec policy by using an IPsec policy template
The configurable parameters for an IPsec policy template are the same as those when you directly
configure an IKE-based IPsec policy. The difference is that more parameters are optional for an
IPsec policy template. Except the IPsec transform sets and the IKE profile, all other parameters are
optional.
A device using an IPsec policy that is configured by using an IPsec policy template cannot initiate an
SA negotiation, but it can respond to a negotiation request. The parameters not defined in the
template are determined by the initiator. For example, in an IPsec policy template, the ACL is
optional. If you do not specify an ACL, the IPsec protection range has no limit. So the device accepts
all ACL settings of the negotiation initiator. When the remote end's information (such as the IP
address) is unknown, the IPsec policy configured by using this method allows the remote end to
initiate negotiations with the local end.
To configure an IKE-based IPsec policy by using an IPsec policy template:
1. Enter system view.
system-view
N/A
2.
template and enter its view.
ipsec
{
ipv6-policy-template
|
policy-template
} template-name
seq-number
By default, no IPsec policy
template exists.
3.
(Optional.) Configure a
description for the IPsec
policy template.
description
text
By default, no description is
configured.
To Next Page
Loading...
Need help?
General