163
Step Command Remark
8. Configure an IP address
for the local security
gateway.
local-address
{ ipv4-address |
ipv6
ipv6-address }
Optional.
By default, the IP address of the
interface to which the IPsec
policy is applied is used as the
local gateway IP address.
This command is available only
for IKEv2.
9. Configure an IP address
for the remote security
gateway.
remote-address
{ [
ipv6
]
host-name [
dynamic
] |
ipv4-address |
ipv6
ipv6-address }
By default, no IP address is
configured for the remote
security gateway.
The remote gateway IP address
configuration is required on an
IKEv2 negotiation initiator and
optional on a responder.
This command is available only
for IKEv2.
10. Specify the IP packet
encapsulation mode.
encapsulation-mode
{
transport
|
tunnel
}
Optional.
Tunnel mode by default.
This command is available only
for IKEv2.
Transport mode applies only
when the source and
destination IP addresses of data
flows match those of the IPsec
tunnel.
IPsec for IPv6 routing protocols
supports only the transport
mode.
11. Enable the traffic flow
confidentiality (TFC)
padding function.
tfc enable
Optional.
Disabled by default.
12. Enable and configure the
perfect forward secrecy
feature for the IPsec policy.
pfs
{
dh-group1
|
dh-group2
|
dh-group5
|
dh-group14
}
Optional.
By default, the PFS feature is
not used for negotiation.
If the local end uses PFS, the
remote end must also use PFS
for negotiation and both ends
must use the same DH group.
Otherwise, the negotiation will
fail.
For more information about
PFS, see "Configuring IKE."
The
dh-group1
keyword is not
available for FIPS mode.
13. Set the SA lifetime.
sa
duration
{
time-based
seconds |
traffic-based
kilobytes }
Optional.
By default, the global SA lifetime
is used.
When negotiating to set up SAs,
IKE uses the local lifetime
settings or those proposed by
the peer, whichever are smaller.
14. Enable the IPsec policy.
policy enable
Optional.
Enabled by default.
To Next Page
Loading...
Need help?
General
