H3C Technologies H3C SecPath F1000-E User Manual

Page 199

Advertising
background image

187

Before configuring an IPsec profile, complete the following tasks:

IPsec proposal configuration. For more information, see "

Configuring an IPsec proposal

."

IKE peer configuration. For more information, see "Configuring IKE."

The parameters for the local and remote ends must match.

NOTE:

During an IKE negotiation based on an IPsec profile, the source and destination addresses of the IPsec
tunnel interface are used as the local and remote addresses; the local-address and remote-address

commands configured for IKE negotiation do not take effect.

If you do not configure the destination address of the IPsec tunnel interface, the local peer can only be
an IKE negotiation responder; it cannot initiate an IKE negotiation.

To configure an IPsec profile:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create an IPsec profile and
enter its view.

ipsec profile profile-name

By default, no IPsec profile exists.

3.

Specify the IPsec proposals for

the IPsec profile to reference. proposal proposal-name&<1-6>

By default, an IPsec profile
references no IPsec proposals.

4.

Specify the IKE peer for the
IPsec profile to reference.

ike-peer peer-name

An IPsec profile cannot reference
any IKE peer that is already

referenced by an IPsec policy, and
vice versa.

5.

Enable and configure the PFS
feature for the IPsec profile.

pfs { dh-group1 | dh-group2 |
dh-group5 | dh-group14 }

Optional.
By default, the PFS feature is not
used. In FIPS mode, the firewall

does not support the dh-group1

keyword.
For more information about PFS,
see "Configuring IKE."

6.

Set the SA lifetime.

sa duration { time-based seconds |
traffic-based kilobytes }

Optional.
By default, the SA lifetime of an
IPsec profile equals the current

global SA lifetime.

7.

Set the anti-replay information
synchronization intervals in

IPsec stateful failover mode.

synchronization
anti-replay-interval inbound

inbound-number outbound
outbound-number

Optional.
By default, the inbound anti-replay
window information is

synchronized whenever 1000
packets are received, and the

outbound anti-replay sequence

number is synchronized whenever
100000 packets are sent.

8.

Return to system view.

quit

N/A

Advertising
This manual is related to the following products:

H3C SecPath F5000-A5 Firewall, H3C SecPath F1000-A-EI, H3C SecPath F1000-E-SI, H3C SecPath F1000-S-AI, H3C SecPath F5000-S Firewall, H3C SecPath F5000-C Firewall, H3C SecPath F100-C-SI, H3C SecPath F1000-C-SI, H3C SecPath F100-A-SI, H3C SecBlade FW Cards, H3C SecBlade FW Enhanced Cards, H3C SecPath U200-A U200-M U200-S, H3C SecPath U200-CA U200-CM U200-CS

Popular Brands
Popular manuals