H3C Technologies H3C S12500-X Series Switches User Manual
Page 148

136
468B
Configuration restrictions and guidelines
To guarantee successful SA negotiations, make sure the IPsec configurations at the two ends of an IPsec
tunnel meet the following requirements:
•
The IPsec policies at the two ends must have IPsec transform sets that use the same security protocols,
security algorithms, and encapsulation mode.
•
The remote IPv4 address configured on the local end must be the same as the primary IPv4 address
of the interface applied with the IPsec policy at the remote end. The remote IPv6 address configured
on the local end must be the same as the first IPv6 address of the interface applied with the IPsec
policy at the remote end.
•
At each end, configure parameters for both the inbound SA and the outbound SA, and make sure
the SAs in each direction are unique: For an outbound SA, make sure its triplet (remote IP address,
security protocol, and SPI) is unique. For an inbound SA, make sure its SPI is unique.
•
The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true
of the local outbound SA and remote inbound SA.
•
The keys for the local and remote inbound and outbound SAs must be in the same format. For
example, if the local inbound SA uses a key in characters, the local outbound SA and remote
inbound and outbound SAs must use keys in characters.
469B
Configuration procedure
To configure a manual IPsec policy:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Create a manual IPsec
policy entry and enter its
view.
ipsec { ipv6-policy | policy }
policy-name seq-number manual
By default, no IPsec policy exists.
3.
(Optional.) Configure a
description for the IPsec
policy.
description text
By default, no description is configured.
4.
Specify an ACL for the
IPsec policy.
security acl [ ipv6 ] { acl-number |
name acl-name }
By default, an IPsec policy references no
ACL.
An IPsec policy can reference only one
ACL.
5.
Specify an IPsec
transform set for the IPsec
policy.
transform-set transform-set-name
By default, an IPsec policy references no
IPsec transform set.
A manual IPsec policy can reference only
one IPsec transform set.
6.
Specify the remote IP
address of the IPsec
tunnel.
remote-address { ipv4-address |
ipv6 ipv6-address }
By default, the remote IP address of the
IPsec tunnel is not specified.
The local IPv4 address of the IPsec tunnel
is the primary IPv4 address of the
interface to which the IPsec policy is
applied. The local IPv6 address of the
IPsec tunnel is the first IPv6 address of the
interface to which the IPsec policy is
applied.
- H3C S5560 Series Switches H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C WX3000 Series Unified Switches H3C LSWM1WCM10 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C S9800 Series Switches H3C S5130 Series Switches H3C S5120 Series Switches