beautypg.com

Configuring an ipsec policy, Configuring a manual ipsec policy – H3C Technologies H3C SecPath F1000-E User Manual

Page 139

background image

11

To do…

Use the command…

Remarks

Specify the
authentication

algorithm for ESP

esp
authentication-algorithm

{ md5 | sha1 }

Optional
MD5 by default

Specify the
authentication
algorithm for AH

ah
authentication-algorithm
{ md5 | sha1 }

Optional
MD5 by default

Specify the IP packet encapsulation

mode for the IPsec proposal

encapsulation-mode

{ transport | tunnel }

Optional
Tunnel mode by default
Transport mode applies only when

the source and destination IP
addresses of data flows match those

of the IPsec tunnel.
IPsec for IPv6 routing protocols
supports only the transport mode.

NOTE:

Changes to an IPsec proposal affect only SAs negotiated after the changes. To apply the changes to
existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up using the
updated parameters.

Only when a security protocol is selected, can you configure security algorithms for it. For example, you
can specify the ESP-specific security algorithms only when you select ESP as the security protocol. ESP

supports three IP packet protection schemes: encryption only, authentication only, or both encryption
and authentication.

Up to 50 IPsec proposals can be configured.

Configuring an IPsec Policy

IPsec policies define which IPsec proposals should be used to protect which data flows. An IPsec policy

is uniquely identified by its name and sequence number.
IPsec policies fall into two categories:

Manual IPsec policy: The parameters are configured manually, such as the keys and SPI, as well as
IP addresses of two ends in tunnel mode.

IPsec policy using IKE: The parameters are automatically negotiated through IKE.

Configuring a manual IPsec policy

1.

Configuration prerequisites

Besides configuring ACLs and proposals to be referenced by IPsec policy, follow these requirements to

manually configure the IPsec policies at the two ends of an IPsec tunnel:

The IPsec proposals referenced by the IPsec policies must use the same security protocol(s), security
algorithms, and encapsulation mode.

For an IPsec tunnel, the remote IP address of the local end must be identical to the local IP address
of the remote end.

The SPI and keys of the inbound SA at the local end must match those of the outbound SA at the
remote end, and the SPI and keys of the outbound SA at the local end must match those of the

inbound SA at the remote end.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: