165
Step Command Remark
6. Enable and configure the
perfect forward secrecy
feature for the IPsec policy.
pfs
{
dh-group1
|
dh-group2
|
dh-group5
|
dh-group14
}
Optional.
By default, the PFS feature is
not used for negotiation.
If the local end uses PFS, the
remote end must also use PFS
for negotiation and both ends
must use the same DH group.
Otherwise, the negotiation will
fail.
For more information about
PFS, see "Configuring IKE."
The
dh-group1
keyword is not
available for FIPS mode.
7. Configure the SA lifetime.
sa
duration
{
time-based
seconds |
traffic-based
kilobytes }
Optional.
By default, the global SA lifetime
settings are used.
When negotiating to set up SAs,
IKE uses the local lifetime
settings or those proposed by
the peer, whichever are smaller.
8. Enable the IPsec policy.
policy enable
Optional.
Enabled by default.
9. Return to system view.
quit
N/A
10. Configure the global SA
lifetime.
ipsec
sa
global-duration
{
time-based
seconds |
traffic-based
kilobytes }
Optional.
By default, time-based SA
lifetime is 3600 seconds and
traffic-based SA lifetime is
1843200 kilobytes.
11. Create an IPsec policy by
referencing an IPsec policy
template.
ipsec
policy
policy-name
seq-number
isakmp
template
template-name
By default, no IPsec policy
exists.
Applying an IPsec policy group to an interface
An IPsec policy group is a collection of IPsec policies with the same name but different sequence
numbers. In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher
priority.
You can apply an IPsec policy group to a logical or physical interface to protect certain data flows. To
cancel the IPsec protection, remove the application of the IPsec policy group.
For each packet to be sent out an IPsec protected interface, the system looks through the IPsec
policies in the IPsec policy group in ascending order of sequence numbers. If an IPsec policy
matches the packet, the system uses the IPsec policy to protect the packet. If no match is found, the
system sends the packet out without IPsec protection.
In addition to physical interfaces like serial and Ethernet ports, you can apply an IPsec policy to
virtual interfaces, such as tunnel and virtual template interfaces, to tunnel applications such as GRE
and L2TP.
An interface can reference only one IPsec policy group. An IPsec policy that uses IKE can be applied
to more than one interface, but a manual IPsec policy can be applied to only one interface.
To apply an IPsec policy group to an interface:
To Next Page
Loading...
Need help?
General
