164
Step Command Remark
15. Return to system view.
quit
N/A
16. Set the global SA lifetime.
ipsec
sa
global-duration
{
time-based
seconds |
traffic-based
kilobytes }
Optional.
3600 seconds for time-based
SA lifetime by default.
1843200 kilobytes for
traffic-based SA lifetime by
default.
2. Configure an IPsec policy that uses IKE by referencing an IPsec policy template.
The parameters configurable for an IPsec policy template are the same as those you configure
when directly configuring an IPsec policy that uses IKE. The difference is that more parameters
are optional.
{ Required configuration: The IPsec transform sets and IKE peer.
{ Optional configuration: The ACL, PFS feature, and SA lifetime. Unlike the direct
configuration, ACL configuration to be referenced by an IPsec policy is optional. The
responder without ACL configuration accepts the initiator's ACL configuration.
To configure an IPsec policy that uses IKE by referencing an IPsec policy template:
Step Command Remark
1. Enter system view.
system-view
N/A
2. Create an IPsec policy
template and enter its view.
ipsec
policy-template
template-name seq-number
By default, no IPsec policy
template exists.
3. Specify the ACL for the
IPsec policy to reference.
security
acl
acl-number
Optional.
By default, an IPsec policy
references no ACL.
4. Specify the IPsec
transform sets for the
IPsec policy to reference.
transform-set
transform-set-name&<1-6>
By default, an IPsec policy
references no IPsec transform
set.
With SAs to be established
through IKE negotiation, an
IPsec policy can reference up to
six IPsec transform sets. During
negotiation, IKE searches for a
fully matched IPsec transform
set at the two ends of the
expected IPsec tunnel. If no
match is found, no SA can be
set up and the packets
expecting to be protected will be
dropped.
5. Specify the IKE peer for
the IPsec policy to
reference.
ike-peer
peer-name [
primary
]N/A
To Next Page
Loading...
Need help?
General
