An ACL is applied to the IPSec policy.
Step 5 (Optional) Run:
sa trigger-mode { auto | traffic-based }
The SA triggering mode is configured.
After IKE negotiation phase 1 succeeds, the IPSec SA is established in the specified triggering
mode. In automatic triggering mode, the IPSec SA is established immediately after IKE
negotiation phase 1 succeeds. In traffic-based triggering mode, the IPSec SA is established only
after packets are received.
By default, the automatic triggering mode is used.
Step 6 (Optional) Run:
sa duration { traffic-based kilobytes | time-based interval }
The SA lifetime is set.
l In IKEv1, the IKE peers compare the lifetime set in their IPSec proposals and use the smaller
value as the IPSec SA lifetime.
l In IKEv2, the IKE peers do not negotiate the SA lifetime. Instead, they use the locally set
SA lifetime.
l The default IPSec SA lifetime is 3600 seconds, and the default traffic volume is 1843200
kilobytes.
Step 7 Run:
ike-peer peer-name
An IKE peer is applied to the IPSec policy.
NOTE
For details on how to configure an IKE peer, see 5.4.4 Configuring an IKE Peer.
Step 8 (Optional) Run:
pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 }
The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured.
If PFS is specified on the local end, you also need to specify PFS on the remote peer. The Diffie-
Hellman group specified on the two ends must be the same; otherwise, the negotiation fails. If
the remote end uses the template mode, the Diffie-Hellman groups can be different.
----End
5.4.7 Configuring an IPSec Policy Template
An IPSec policy template can be used to configure multiple IPSec policies, reducing the
workload of establishing multiple IPSec tunnels.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN 5 IPSec Configuration
Issue 01 (2012-04-20) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
298
To Next Page
Loading...
