H3C Technologies H3C SecPath F1000-E User Manual

15

To do…

Use the command…

Remark

Enter system view

system-view

—

Create an IPsec policy template
and enter its view

ipsec policy-template
template-name seq-number

Required
By default, no IPsec policy template
exists.

Specify the ACL for the IPsec policy
to reference

security acl acl-number

Optional
By default, an IPsec policy

references no ACL.

Specify the IPsec proposals for the
IPsec policy to reference

proposal proposal-name&<1-6>

Required
By default, an IPsec policy
references no IPsec proposal.

Specify the IKE peer for the IPsec
policy to reference

ike-peer peer-name

Required
An IPsec policy cannot reference
any IKE peer that is already

referenced by an IPsec profile, and

vice versa.

Enable and configure the perfect
forward secrecy feature for the

IPsec policy

pfs { dh-group1 | dh-group2 |
dh-group5 | dh-group14 }

Optional
By default, the PFS feature is not
used for negotiation.
For information about PFS, refer to

Security Mechanism of IKE

.

Configure the SA lifetime

sa duration { time-based seconds |
traffic-based kilobytes }

Optional
By default, the SA lifetime of an
IPsec policy equals the current

global SA lifetime.

Enable the IPsec policy

policy enable

Optional
Enabled by default.

Return to system view

quit

—

Configure the global SA lifetime

ipsec sa global-duration
{ time-based seconds |

traffic-based kilobytes }

Optional
3,600 seconds for time-based SA

lifetime by default
1,843,200 kilobytes for

traffic-based SA lifetime by default

Create an IPsec policy by
referencing an IPsec policy

template

ipsec policy policy-name
seq-number isakmp template

template-name

Required
By default, no IPsec policy exists.

NOTE:
•

You cannot change the parameters of an IPsec policy created by referencing an IPsec policy template
directly in IPsec policy view. You can perform the required changes in IPsec policy template view.