Configuring a manual ipsec policy, Configuration guidelines – H3C Technologies H3C SecPath F1000-E User Manual

176

Step Command

Remarks

5.

Specify the IP packet
encapsulation mode for

the IPsec proposal.

encapsulation-mode { transport |
tunnel }

Optional.
Tunnel mode by default.
Transport mode applies only when the

source and destination IP addresses of
data flows match those of the IPsec

tunnel.
IPsec for IPv6 routing protocols supports

only the transport mode.

Configuring a manual IPsec policy

IPsec policies define which IPsec proposals should be used to protect which data flows. An IPsec policy

is uniquely identified by its name and sequence number.
IPsec policies fall into two categories:

•

Manual IPsec policy—The parameters are configured manually, such as the keys, the SPIs, and the
IP addresses of the two ends in tunnel mode.

•

IPsec policy that uses IKE—The parameters are automatically negotiated through IKE.

This section describes how to configure a manual IPsec policy.

Configuration guidelines

To ensure successful SA negotiations, follow these guidelines when you configure manual IPsec policies

at the two ends of an IPsec tunnel:

•

The IPsec policies at the two ends must have IPsec proposals that use the same security protocols,

security algorithms, and encapsulation mode.

•

The remote IP address configured on the local end must be the same as the IP address of the remote
end.

•

At each end, configure parameters for both the inbound SA and the outbound SA and make sure
that different SAs use different SPIs.

•

The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true
of the local outbound SA and remote inbound SA.

•

The keys for the local and remote inbound and outbound SAs must be in the same format. For
example, if the local inbound SA uses a key in characters, the local outbound SA and remote

inbound and outbound SAs must use keys in characters.

Follow these guidelines when you configure an IPsec policy for an IPv6 routing protocol:

•

You do not need to configure ACLs or IPsec tunnel addresses.

•

Within a certain routed network scope, the IPsec proposals used by the IPsec policies on all routers
must have the same security protocols, security algorithms, and encapsulation mode. For OSPFv3,

the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be

directly connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected

neighbors or a neighbor group.

•

All SAs (both inbound and outbound) within the routed network scope must use the same SPI and
keys.