Configuring an ipsec profile – H3C Technologies H3C SecPath F1000-E User Manual
Page 148
20
Task Remarks
Applying a QoS Policy to an IPsec Tunnel Interface
Optional
Enabling the Encryption Engine
Optional
Configuring the IPsec Anti-Replay Function
Optional
Configuring an IPsec Profile
As described previously, an IPsec policy is uniquely identified by its name and sequence number. An
IPsec policy group is a collection of IPsec policies with the same name but different sequence numbers.
In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority. After an
IPsec policy group is applied to an interface, for each packet arriving at the interface, the system checks
the IPsec policies of the IPsec policy group in the ascending order of sequence numbers. An IPsec tunnel
will be established for each data flow to be protected. Thus, multiple IPsec tunnels may exist on an
interface.
Different from IPsec policies, an IPsec profile is uniquely identified by its name and can contain only one
IPsec policy. It does not support ACL configuration. An IPsec profile defines the IPsec proposal for the
data flows to be protected, and specifies the parameters for IKE negotiation. After an IPsec profile is
applied to an IPsec tunnel interface, only one IPsec tunnel is set up to protect all data flows that are routed
to the tunnel.
At present, IPsec profiles can be applied to only IPsec tunnel interface. The IPsec tunnel established using
an IPsec profile protects all IP data routed to the tunnel interface.
Before configuring an IPsec profile, finish the following configurations:
•
IPsec proposal configuration. For details, refer to
•
IKE peer configuration. For details, refer to
Note that the parameters for the local and remote ends must match.
NOTE:
•
During IKE negotiation based on an IPsec profile, the source and destination addresses of the IPsec
tunnel interface are used as the local and remote addresses, that is, the local-address and
remote-address commands configured for IKE negotiation do not take effect.
•
If you do not configure the destination address of the IPsec tunnel interface, the local peer can only be
an IKE negotiation responder; it cannot initiate an IKE negotiation.
Follow these steps to configure an IPsec profile:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Create an IPsec profile and enter
its view
ipsec profile profile-name
Required
By default, no IPsec profile exists.
Specify the IPsec proposals for the
IPsec profile to reference
proposal proposal-name&<1-6>
Required
By default, an IPsec profile
references no IPsec proposals.