162
• Directly configure it by configuring the parameters in IPsec policy view.
• Configure it by referencing an existing IPsec policy template with the parameters to be
negotiated configured. A device referencing an IPsec policy that is configured in this way cannot
initiate SA negotiation but can respond to a negotiation request. The parameters not defined in
the template will be determined by the initiator. This method applies to scenarios where the
remote end's information, such as the IP address, is unknown.
Before you configure an IPsec policy that uses IKE, complete the following tasks:
• Configure the ACLs and the IPsec transform sets for the IPsec policy.
• Configure the IKE peer for IKEv1 negotiation. For more information, see "Configuring an IKE
peer."
• Config
ure the IKEv2 profile for IKEv2 negotiation. For more information, see "Configuring an
IK
Ev2 profile."
The parameters for the local and remote ends must match.
1. Directly configure an IPsec policy that uses IKE:
Step Command Remark
1. Enter system view.
system-view
N/A
2. Create an IPsec policy that
uses IKE and enter its
view.
ipsec
policy
policy-name
seq-number
isakmp
By default, no IPsec policy
exists.
3. Configure an IPsec
connection name.
connection-name
name
Optional.
By default, no IPsec connection
name is configured.
4. Assign an ACL to the IPsec
policy.
security
acl
acl-number
[
aggregation
]
By default, an IPsec policy
references no ACL.
5. Assign IPsec transform
sets to the IPsec policy.
transform-set
transform-set-name&<1-6>
By default, an IPsec policy
references no IPsec transform
set.
With SAs to be established
through IKE negotiation, an
IPsec policy can reference up to
six IPsec transform sets. During
negotiation, IKE searches for a
fully matched IPsec transform
set at the two ends of the
expected IPsec tunnel. If no
match is found, no SA can be
set up and the packets
expecting to be protected will be
dropped.
6. Specify an IKE peer for the
IPsec policy.
ike-peer
peer-name [
primary
]N/A
7. Specify an IKEv2 profile for
the IPsec policy.
ikev2 profile
profile-name
Required for IKEv2 negotiation.
By default, an IPsec policy
references no IKEv2 profile.
To Next Page
Loading...
Need help?
General
