Directly configuring an ike-based ipsec policy – H3C Technologies H3C S6300 Series Switches User Manual

228

•

The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is optional

on the responder. The remote IP address specified on the local end must be the same as the local
IP address specified on the remote end.

For an IPsec SA established through IKE negotiation:

•

The IPsec SA uses the local lifetime settings or those proposed by the peer, whichever are smaller.

•

The IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires
when either lifetime expires.

Directly configuring an IKE-based IPsec policy

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create an IKE-based IPsec

policy entry and enter its view.

ipsec { ipv6-policy | policy }
policy-name seq-number isakmp

By default, no IPsec policy exists.

3.

(Optional.) Configure a
description for the IPsec

policy.

description text

By default, no description is
configured.

4.

Specify an ACL for the IPsec

policy.

security acl [ ipv6 ] { acl-number |
name acl-name } [ aggregation |
per-host ]

By default, no ACL is specified for
the IPsec policy.
An IPsec policy can reference only
one ACL.

5.

Specify IPsec transform sets
for the IPsec policy.

transform-set
transform-set-name&<1-6>

By default, the IPsec policy
references no IPsec transform set.

6.

Specify an IKE profile for the

IPsec policy.

ike-profile profile-name

By default, the IPsec policy
references no IKE profile, and the

device selects an IKE profile

configured in system view for
negotiation. If no IKE profile is

configured, the globally

configured IKE settings are used.
An IPsec policy can reference only

one IKE profile, and it cannot
reference any IKE profile that is

already referenced by another

IPsec policy or IPsec policy
template.
For more information about IKE
profiles, see "

Configuring IKE

."