278
Configuring a manual IPsec profile
An IPsec profile is similar to an IPsec policy. The difference is that an IPsec profile is uniquely
identified by a name and it does not support ACL configuration. An IPsec profile defines the IPsec
transform set used for protecting data flows, and specifies SPIs and the keys used by the SAs.
The IPsec profile configurations at the two tunnel ends must meet the following requirements:
• The IPsec transform set used by the IPsec profile at the two tunnel ends must have the same
security protocol, encryption and authentication algorithms, and packet encapsulation mode.
• The local inbound and outbound IPsec SAs must have the same SPI and key.
ï‚¡ The IPsec SAs on the devices in the same scope must have the same key. The scope is
defined by protocols. For RIPng, the scope consists of directly-connected neighbors or a
RIPng process. For OSPF, the scope consists of OSPF neighbors or an OSPF area. For
BGP, the scope consists of BGP peers or a BGP peer group.
• The keys for the IPsec SAs at the two tunnel ends must be configured in the same format. For
example, if the key at one end is entered as a string of characters, the key on the other end
must also be entered as a string of characters.
To configure a manual IPsec profile:
1. Enter system view.
system-view
N/A
2. Create a manual IPsec
profile and enter its view.
ipsec
profile
profile-name
manual
By default, no IPsec profile exists.
The
manual
needed if you enter the view of an
existing IPsec profile.
3. (Optional.) Con
figure a
description for the IPsec
profile.
description
text
By default, no description is
configured.
4. Specify an IPsec
transform set for the
IPsec profile.
transform-set
transform-set-name
By default, no IPsec transform set
is specified for an IPsec profile.
The specified IPsec transform set
must use the transport mode.
5. Configure an SPI for an
SA.
sa
spi
{
inbound
|
outbound
} {
ah
|
} spi-number
By default, no SPI is configured
for an SA.
To Next Page
Loading...
Need help?
General