beautypg.com

H3C Technologies H3C SecPath F1000-E User Manual

Page 140

background image

12

Both ends of an IPsec tunnel must be configured with the same key in the same format, and the keys

of the inbound and outbound SAs at an end must be in the same format.

When you configure an IPsec policy for an IPv6 routing protocol, the following requirements are also
needed:

ACLs and IPsec tunnel addresses are not needed.

The SPI and keys of the inbound and outbound SAs must be identical at the local end.

The SPI and key configured on all devices within a scope must be identical. The scope is determined
by the IPv6 routing protocol to be protected. For OSPFv3, the scope refers to directly connected

neighbors or an OSPFv3 area. For RIPng, the scope refers to directly connected neighbors or a
RIPng process. For IPv6 BGP, the scope refers to directly connected neighbors or a neighbor group.

2.

Configuring procedure

Following these steps to configure an IPsec policy manually:

To do…

Use the command…

Remarks

Enter system view

system-view

Manually create an IPsec policy and
enter its view

ipsec policy policy-name
seq-number manual

Required
By default, no IPsec policy exists.

Specify the ACL for the IPsec policy
to reference

security acl acl-number

Not needed for IPsec policies to be
applied to IPv6 routing protocols

and required for other applications.
By default, an IPsec policy

references no ACL.
The ACL supports match criteria of

the VPN instance attribute.

Specify the IPsec proposals for the
IPsec policy to reference

proposal proposal-name

Required
By default, an IPsec policy

references no IPsec proposal.

Configure the
local address of

the tunnel

tunnel local ip-address

Not needed for IPsec policies to be
applied to IPv6 routing protocols

and required for other applications.
Not configured by default

Configure the
two ends of the

IPsec tunnel

Configure the
remote address

of the tunnel

tunnel remote ip-address

Required
Not configured by default

Configure the SPIs for the SAs

sa spi { inbound | outbound }
{ ah | esp } spi-number

Required

Configure the
authentication

key (in

hexadecimal)

sa authentication-hex { inbound
| outbound } { ah | esp } hex-key

Configure keys
for the SAs

Configure the
authentication

key
(in characters)

sa string-key { inbound |
outbound } { ah | esp } string-key

Required
Use either command
For ESP, the system can
automatically generate both the

authentication key and encryption

key.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: