Applying an ipsec policy to an interface – H3C Technologies H3C S12500-X Series Switches User Manual

139

Step Command

Remarks

7.

Specify the local IP address of
the IPsec tunnel.

local-address { ipv4-address | ipv6
ipv6-address }

By default, the local IPv4 address
of IPsec tunnel is the primary IPv4
address of the interface to which

the IPsec policy is applied, and the

local IPv6 address of the IPsec
tunnel is the first IPv6 address of the

interface to which the IPsec policy

is applied.
The local IP address specified by

this command must be the same as
the IP address used as the local IKE

identity.

8.

Specify the remote IP address
of the IPsec tunnel.

remote-address { [ ipv6 ]
host-name | ipv4-address | ipv6

ipv6-address }

By default, the remote IP address of
the IPsec tunnel is not specified.

9.

Set the IPsec SA lifetime.

sa duration { time-based seconds |
traffic-based kilobytes }

By default, the global SA lifetime is
used.

10.

(Optional.) Set the IPsec SA
idle timeout.

sa idle-time seconds

By default, the global SA idle
timeout is used.

11.

Return to system view.

quit

N/A

12.

Set the global SA lifetime.

ipsec sa global-duration
{ time-based seconds |
traffic-based kilobytes }

By default, the time-based SA
lifetime is 3600 seconds, and the

traffic-based SA lifetime is

1843200 kilobytes.

13.

(Optional.) Enable the global
IPsec SA idle timeout function,

and set the global SA idle
timeout.

ipsec sa idle-time seconds

By default, the global IPsec SA idle
timeout function is disabled.

242B

Applying an IPsec policy to an interface

You can apply an IPsec policy to an interface to protect certain data flows. To cancel the IPsec protection,
remove the application of the IPsec policy.
For each packet to be sent out of an interface applied with an IPsec policy, the interface looks through the

IPsec policy entries in the IPsec policy in ascending order of sequence numbers. If the packet matches the

ACL of an IPsec policy entry, the interface uses the IPsec policy entry to protect the packet. If no match is

found, the interface sends the packet out without IPsec protection.
When the interface receives an IPsec packet whose destination address is the IP address of the local

device, it searches for the inbound IPsec SA according to the SPI carried in the IPsec packet header for

de-encapsulation. If the de-encapsulated packet matches the permit rule of the ACL, the device processes

the packet. Otherwise, it drops the packet.
An interface can reference only one IPsec policy. An IKE-based IPsec policy can be applied to more than

one interface, but a manual IPsec policy can be applied to only one interface.
To apply an IPsec policy to an interface: