H3C Technologies H3C S12500-X Series Switches User Manual
Page 150

138
•
An IKE-based IPsec policy can reference up to six IPsec transform sets. During an IKE negotiation,
IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no match
is found, no SA can be set up, and the packets expecting to be protected will be dropped.
•
The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is optional
on the responder. The remote IP address specified on the local end must be the same as the local
IP address specified on the remote end.
For an IPsec SA established through IKE negotiation:
•
The IPsec SA uses the local lifetime settings or those proposed by the peer, whichever are smaller.
•
The IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires
when either lifetime expires.
471B
Configuration procedure
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Create an IKE-based IPsec
policy entry and enter its view.
ipsec { ipv6-policy | policy }
policy-name seq-number isakmp
By default, no IPsec policy exists.
3.
(Optional.) Configure a
description for the IPsec
policy.
description text
By default, no description is
configured.
4.
Specify an ACL for the IPsec
policy.
security acl [ ipv6 ] { acl-number |
name acl-name } [ aggregation |
per-host ]
By default, no ACL is specified for
the IPsec policy.
An IPsec policy can reference only
one ACL.
5.
Specify IPsec transform sets
for the IPsec policy.
transform-set
transform-set-name&<1-6>
By default, the IPsec policy
references no IPsec transform set.
6.
Specify an IKE profile for the
IPsec policy.
ike-profile profile-name
By default, the IPsec policy
references no IKE profile, and the
device selects an IKE profile
configured in system view for
negotiation. If no IKE profile is
configured, the globally
configured IKE settings are used.
An IPsec policy can reference only
one IKE profile, and it cannot
reference any IKE profile that is
already referenced by another
IPsec policy.
For more information about IKE
profiles, see "
855H
Configuring IKE
."
- H3C S5560 Series Switches H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C WX3000 Series Unified Switches H3C LSWM1WCM10 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C S9800 Series Switches H3C S5130 Series Switches H3C S5120 Series Switches