beautypg.com

Configuring an ike-based ipsec policy, Configuration restrictions and guidelines – H3C Technologies H3C S6300 Series Switches User Manual

Page 242

background image

227

Step Command

Remarks

8.

Configure keys for the
IPsec SA.

Configure an authentication
key in hexadecimal format for

AH:

sa hex-key authentication
{ inbound | outbound } ah

{ cipher | simple } key-value

Configure an authentication

key in character format for AH:

sa string-key { inbound |

outbound } ah { cipher |
simple } key-value

Configure a key in character

format for ESP:
sa string-key { inbound |

outbound } esp { cipher |

simple } key-value

Configure an authentication

key in hexadecimal format for

ESP:
sa hex-key authentication

{ inbound | outbound } esp

{ cipher | simple } key-value

Configure an encryption key in

hexadecimal format for ESP:

sa hex-key encryption

{ inbound | outbound } esp
{ cipher | simple } key-value

By default, no keys are configured for the
IPsec SA.
Configure keys correctly for the security
protocol (AH, ESP, or both) you have

specified in the IPsec transform set
referenced by the IPsec policy.
If you configure a key in both the
character and the hexadecimal formats,

only the most recent configuration takes

effect.
If you configure a key in character format
for ESP, the device automatically

generates an authentication key and an

encryption key for ESP.

Configuring an IKE-based IPsec policy

In an IKE-based IPsec policy, the parameters are automatically negotiated through IKE.
To configure an IKE-based IPsec policy, use one of the following methods:

Directly configure it by configuring the parameters in IPsec policy view.

Configure it by referencing an existing IPsec policy template with the parameters to be negotiated
configured.
A device referencing an IPsec policy that is configured in this way cannot initiate an SA
negotiation, but it can respond to a negotiation request. The parameters not defined in the

template are determined by the initiator. When the remote end's information (such as the IP

address) is unknown, this method allows the remote end to initiate negotiations with the local end.

Configuration restrictions and guidelines

Make sure the IPsec configuration at the two ends of an IPsec tunnel meets the following requirements:

The IPsec policies at the two tunnel ends must have IPsec transform sets that use the same security
protocols, security algorithms, and encapsulation mode.

The IPsec policies at the two tunnel ends must have the same IKE profile parameters.

An IKE-based IPsec policy can reference up to six IPsec transform sets. During an IKE negotiation,
IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no match

is found, no SA can be set up, and the packets expecting to be protected will be dropped.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: