Configuration prerequisites, Configuration procedure – H3C Technologies H3C SecPath F1000-E User Manual

179

•

Required configuration: The IPsec proposals and IKE peer.

•

Optional configuration: The ACL, PFS feature, and SA lifetime. Unlike the direct configuration, ACL
configuration to be referenced by an IPsec policy is optional. The responder without ACL
configuration accepts the initiator's ACL configuration.

Configuration prerequisites

Configure the ACLs and the IKE peer for the IPsec policy. For more information about IKE configuration,

see "Configuring IKE."
The parameters for the local and remote ends must match.

Configuration procedure

When configuring an IPsec policy that uses IKE, follow these guidelines:

•

You cannot change the parameters of an IPsec policy created by referencing an IPsec policy
template directly in IPsec policy view. You can perform the required changes in IPsec policy

template view.

•

An IPsec policy can reference only one ACL. If you apply multiple ACLs to an IPsec policy, only the
last one takes effect.

•

With SAs to be established through IKE negotiation, an IPsec policy can reference up to six IPsec
proposals. During negotiation, IKE searches for a fully matched IPsec proposal at the two ends of
the expected IPsec tunnel. If no match is found, no SA can be set up and the packets expecting to

be protected will be dropped.

•

During IKE negotiation for an IPsec policy with PFS enabled, an additional key exchange is
performed. If the local end uses PFS, the remote end must also use PFS for negotiation and both

ends must use the same Diffie-Hellman (DH) group; otherwise, the negotiation will fail.

•

You can set both the time-based SA lifetime and the traffic-based SA lifetime. Once the time-based
lifetime or traffic-based lifetime of an SA elapses, the SA is aged.

•

An SA uses the global lifetime settings when it is not configured with lifetime settings in IPsec policy

view. When negotiating to set up SAs, IKE uses the local lifetime settings or those proposed by the
peer, whichever are smaller.

•

You cannot change the creation mode of an IPsec policy between the two, directly configuration
and configuration by referencing an IPsec policy template. To create an IPsec policy in another

creation mode, delete the current one and then configure a new IPsec policy.

To directly configure an IPsec policy that uses IKE:

Step Command

Remark

1.

Enter system view.

system-view

N/A

2.

Create an IPsec policy that
uses IKE and enter its view.

ipsec policy policy-name
seq-number isakmp

By default, no IPsec policy exists.

3.

Configure an IPsec connection
name.

connection-name name

Optional.
By default, no IPsec connection name is

configured.

4.

Assign an ACL to the IPsec
policy.

security acl acl-number
[ aggregation ]

By default, an IPsec policy references no
ACL.

5.

Assign IPsec proposals to the
IPsec policy.

proposal
proposal-name&<1-6>

By default, an IPsec policy references no
IPsec proposal.