beautypg.com

Configuring a manual ipsec policy, Configuration restrictions and guidelines, Configuration procedure – H3C Technologies H3C S6300 Series Switches User Manual

Page 240

background image

225

Step Command

Remarks

5.

Specify the mode in
which the security

protocol encapsulates IP

packets.

encapsulation-mode { transport |
tunnel }

By default, the security protocol
encapsulates IP packets in tunnel
mode.
The transport mode applies only
when the source and destination IP

addresses of data flows match
those of the IPsec tunnel.
IPsec for IPv6 routing protocols
supports only the transport mode.

6.

(Optional.) Enable the

Perfect Forward Secrecy
(PFS) feature for the IPsec

policy.

In non-FIPS mode:

pfs { dh-group1 | dh-group2 |
dh-group5 | dh-group14 |

dh-group24 }

In FIPS mode:

pfs dh-group14

By default, the PFS feature is not
used for SA negotiation.
For more information about PFS,
see "

Configuring IKE

."

The security level of the

Diffie-Hellman (DH) group of the
initiator must be higher than or

equal to that of the responder.
The end without the PFS feature

performs SA negotiation according
to the PFS requirements of the peer

end.

Configuring a manual IPsec policy

In a manual IPsec policy, the parameters are configured manually, such as the keys, the SPIs, and the IP

addresses of the two ends in tunnel mode.

Configuration restrictions and guidelines

Make sure the IPsec configuration at the two ends of an IPsec tunnel meets the following requirements:

The IPsec policies at the two ends must have IPsec transform sets that use the same security protocols,

security algorithms, and encapsulation mode.

The remote IPv4 address configured on the local end must be the same as the primary IPv4 address
of the interface applied with the IPsec policy at the remote end. The remote IPv6 address configured

on the local end must be the same as the first IPv6 address of the interface applied with the IPsec

policy at the remote end.

At each end, configure parameters for both the inbound SA and the outbound SA, and make sure
the SAs in each direction are unique: For an outbound SA, make sure its triplet (remote IP address,

security protocol, and SPI) is unique. For an inbound SA, make sure its SPI is unique.

The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true
of the local outbound SA and remote inbound SA.

The keys for the local and remote inbound and outbound SAs must be in the same format. For
example, if the local inbound SA uses a key in characters, the local outbound SA and remote

inbound and outbound SAs must use keys in characters.

Configuration procedure

To configure a manual IPsec policy:

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: