H3C Technologies H3C S12500-X Series Switches User Manual

136

468B

Configuration restrictions and guidelines

To guarantee successful SA negotiations, make sure the IPsec configurations at the two ends of an IPsec

tunnel meet the following requirements:

•

The IPsec policies at the two ends must have IPsec transform sets that use the same security protocols,
security algorithms, and encapsulation mode.

•

The remote IPv4 address configured on the local end must be the same as the primary IPv4 address
of the interface applied with the IPsec policy at the remote end. The remote IPv6 address configured

on the local end must be the same as the first IPv6 address of the interface applied with the IPsec

policy at the remote end.

•

At each end, configure parameters for both the inbound SA and the outbound SA, and make sure
the SAs in each direction are unique: For an outbound SA, make sure its triplet (remote IP address,
security protocol, and SPI) is unique. For an inbound SA, make sure its SPI is unique.

•

The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true
of the local outbound SA and remote inbound SA.

•

The keys for the local and remote inbound and outbound SAs must be in the same format. For
example, if the local inbound SA uses a key in characters, the local outbound SA and remote

inbound and outbound SAs must use keys in characters.

469B

Configuration procedure

To configure a manual IPsec policy:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create a manual IPsec
policy entry and enter its

view.

ipsec { ipv6-policy | policy }
policy-name seq-number manual

By default, no IPsec policy exists.

3.

(Optional.) Configure a
description for the IPsec

policy.

description text

By default, no description is configured.

4.

Specify an ACL for the
IPsec policy.

security acl [ ipv6 ] { acl-number |
name acl-name }

By default, an IPsec policy references no
ACL.
An IPsec policy can reference only one

ACL.

5.

Specify an IPsec
transform set for the IPsec

policy.

transform-set transform-set-name

By default, an IPsec policy references no
IPsec transform set.
A manual IPsec policy can reference only
one IPsec transform set.

6.

Specify the remote IP

address of the IPsec
tunnel.

remote-address { ipv4-address |
ipv6 ipv6-address }

By default, the remote IP address of the
IPsec tunnel is not specified.
The local IPv4 address of the IPsec tunnel
is the primary IPv4 address of the

interface to which the IPsec policy is
applied. The local IPv6 address of the

IPsec tunnel is the first IPv6 address of the

interface to which the IPsec policy is

applied.