Configuring an ipsec proposal – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

351

2.

Configure an IPsec policy group to associate data flows with the IPsec proposals and specify the

SA negotiation mode, the peer IP addresses (the start and end points of the IPsec path), the
required keys, and the SA lifetime.

3.

Apply the IPsec policies to interfaces to finish IPsec configuration.

Complete the following tasks to configure IPsec:

Task Remarks

Configuring an IPsec proposal

Required

Configuring an IPsec policy

Applying an IPsec policy group to an interface

Configuring IPsec stateful failover

Optional

IMPORTANT:

Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and
50, respectively. Make sure flows of these protocols are not denied on the interfaces with IKE or IPsec
configured.

Configuring an IPsec proposal

An IPsec proposal, part of an IPsec policy, defines the security parameters for IPsec SA negotiation,

including the security protocol, and the encryption and authentication algorithms.
To configure an IPsec proposal:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create an IPsec proposal and
enter its view.

ipsec proposal proposal-name

By default, no IPsec proposal
exists.
You can configure up to 10000

IPsec proposals in the system.

3.

Specify the security protocol
for the IPsec proposal.

transform { ah | ah-esp | esp }

Optional.
ESP by default.
Only when a security protocol is

selected, can you configure
security algorithms for it. For

example, you can specify the

ESP-specific security algorithms
only when you select ESP as the

security protocol. ESP supports

three IP packet protection schemes:

encryption only, authentication
only, or both encryption and

authentication.