beautypg.com

H3C Technologies H3C SecPath F1000-E User Manual

Page 142

background image

14

To do…

Use the command…

Remark

Configure an IPsec connection
name

connection-name name

Optional
By default, no IPsec connection
name is configured.

Specify the ACL for the IPsec policy
to reference

security acl acl-number
[ aggregation ]

Required
By default, an IPsec policy
references no ACL.

Specify the IPsec proposals for the
IPsec policy to reference

proposal proposal-name&<1-6>

Required
By default, an IPsec policy
references no IPsec proposal.

Specify the IKE peer for the IPsec
policy to reference

ike-peer peer-name

Required
An IPsec policy cannot reference

any IKE peer that is already
referenced by an IPsec profile, and

vice versa.

Enable and configure the perfect
forward secrecy feature for the

IPsec policy

pfs { dh-group1 | dh-group2 |
dh-group5 | dh-group14 }

Optional
By default, the PFS feature is not
used for negotiation.
For information about PFS, refer to

Security Mechanism of IKE

.

Configure the SA lifetime

sa duration { time-based seconds |
traffic-based kilobytes }

Optional
By default, the SA lifetime of an
IPsec policy equals the current

global SA lifetime.

Enable the IPsec policy

policy enable

Optional
Enabled by default.

Return to system view

quit

Configure the global SA lifetime

ipsec sa global-duration
{ time-based seconds |

traffic-based kilobytes }

Optional
3,600 seconds for time-based SA
lifetime by default.
1,843,200 kilobytes for
traffic-based SA lifetime by default.

Configure an IPsec policy using IKE by referencing an IPsec policy template

The parameters configurable for an IPsec policy template are the same as those you can configure when

directly configuring an IPsec policy using IKE. The difference is that more parameters are optional.

Required configuration: The IPsec proposals and IKE peer.

Optional configuration: The ACL, PFS feature, and SA lifetime. Unlike the direct configuration, ACL
configuration to be referenced by an IPsec policy is optional. The responder without ACL

configuration accepts the initiator's ACL configuration.

Follow these steps to configure an IPsec policy using IKE by referencing an IPsec policy template:

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: