Configuring an ipsec policy using ike – H3C Technologies H3C SecPath F1000-E User Manual
Page 141

13
To do…
Use the command…
Remarks
Configure the
encryption key
(in characters)
sa string-key { inbound |
outbound } esp string-key
Configure the
encryption key
(in hexadecimal)
sa encryption-hex { inbound |
outbound } esp hex-key
Required
Use either command
The system can automatically
generate both the authentication key
and the encryption key at the time
for configuring encryption key in
character string.
NOTE:
•
An IPsec policy can reference only one ACL. If you apply multiple ACLs to an IPsec policy, only the last
one takes effect.
•
For manual SAs, an IPsec policy can reference only one IPsec proposal. To change an IPsec proposal for
an IPsec policy, you must remove the proposal reference first.
•
When configuring SAs for a system, you must configure the parameters for both the inbound and
outbound SAs. Additionally, different SAs must have different SPIs and the inbound or outbound SPIs at
one end must be different.
•
If you configure a key in two modes: string and hexadecimal, only the last configured one will be used.
•
You cannot change the creation mode of an IPsec policy from manual to through IKE, or vise versa. To
create an IPsec policy using IKE, delete the manual IPsec policy, and then use IKE to configure an IPsec
policy.
Configuring an IPsec policy using IKE
You can configure an IPsec policy using IKE in two ways:
•
Directly configuring it by configuring the parameters in IPsec policy view.
•
Configuring it by referencing an existing IPsec policy template with the parameters to be negotiated
configured. A device referencing an IPsec policy that is configured in this way cannot initiate SA
negotiation but can respond to a negotiation request. The parameters not defined in the template
will be determined by the initiator, and therefore this approach applies to scenarios where the
remote end's information is unknown, such as the IP address.
1.
Configuration prerequisites
Configure the ACLs and IKE peer for the IPsec policy to reference. For IKE configuration, refer to
Note that the parameters for the local and remote ends must match.
2.
Configuration procedure
•
Directly configure an IPsec policy using IKE
Following these steps to directly configure an IPsec policy using IKE:
To do…
Use the command…
Remark
Enter system view
system-view
—
Create an IPsec policy and enter its
view
ipsec policy policy-name
seq-number isakmp
Required
By default, no IPsec policy exists.