beautypg.com

Configuring an ipsec policy using ike – H3C Technologies H3C SecPath F1000-E User Manual

Page 141

background image

13

To do…

Use the command…

Remarks

Configure the
encryption key

(in characters)

sa string-key { inbound |
outbound } esp string-key

Configure the
encryption key
(in hexadecimal)

sa encryption-hex { inbound |
outbound } esp hex-key

Required
Use either command
The system can automatically

generate both the authentication key
and the encryption key at the time

for configuring encryption key in

character string.

NOTE:

An IPsec policy can reference only one ACL. If you apply multiple ACLs to an IPsec policy, only the last
one takes effect.

For manual SAs, an IPsec policy can reference only one IPsec proposal. To change an IPsec proposal for
an IPsec policy, you must remove the proposal reference first.

When configuring SAs for a system, you must configure the parameters for both the inbound and
outbound SAs. Additionally, different SAs must have different SPIs and the inbound or outbound SPIs at

one end must be different.

If you configure a key in two modes: string and hexadecimal, only the last configured one will be used.

You cannot change the creation mode of an IPsec policy from manual to through IKE, or vise versa. To
create an IPsec policy using IKE, delete the manual IPsec policy, and then use IKE to configure an IPsec

policy.

Configuring an IPsec policy using IKE

You can configure an IPsec policy using IKE in two ways:

Directly configuring it by configuring the parameters in IPsec policy view.

Configuring it by referencing an existing IPsec policy template with the parameters to be negotiated
configured. A device referencing an IPsec policy that is configured in this way cannot initiate SA

negotiation but can respond to a negotiation request. The parameters not defined in the template

will be determined by the initiator, and therefore this approach applies to scenarios where the

remote end's information is unknown, such as the IP address.

1.

Configuration prerequisites

Configure the ACLs and IKE peer for the IPsec policy to reference. For IKE configuration, refer to

Configuring an IKE Peer

.

Note that the parameters for the local and remote ends must match.

2.

Configuration procedure

Directly configure an IPsec policy using IKE

Following these steps to directly configure an IPsec policy using IKE:

To do…

Use the command…

Remark

Enter system view

system-view

Create an IPsec policy and enter its
view

ipsec policy policy-name
seq-number isakmp

Required
By default, no IPsec policy exists.