Configuring an ipsec policy that uses ike, Configuration guidelines – H3C Technologies H3C SecPath F1000-E User Manual

178

Step Command

Remarks

8.

Configure keys for the

SAs.

•

Configure an authentication key in
hexadecimal for AH:

sa authentication-hex { inbound |

outbound } ah hex-key

•

Configure an authentication key in

characters for AH:

sa string-key { inbound | outbound }
ah string-key

•

Configure a key in characters for

ESP:
sa string-key { inbound | outbound }

esp string-key

•

Configure an authentication key in

hexadecimal for ESP:

sa authentication-hex { inbound |

outbound } esp hex-key

•

Configure an encryption key in

hexadecimal for ESP:

sa encryption-hex { inbound |
outbound } esp hex-key

Configure an authentication key for
AH in either hexadecimal or
character format.
Configure an authentication key, an
encryption key, or both for ESP. If

you configure a key in characters for
ESP, the router automatically

generates an authentication key and

an encryption key for ESP.
If you configure a key in two modes:
string and hexadecimal, only the

last configured one will be used.
In FIPS mode, the firewall does not

support the sa string-key command
for AH or ESP.

NOTE:

You cannot change the creation mode of an IPsec policy from manual to through IKE, or vice versa. To
create an IPsec policy that uses IKE, delete the manual IPsec policy, and then use IKE to configure an IPsec
policy.

Configuring an IPsec policy that uses IKE

IPsec policies define which IPsec proposals should be used to protect which data flows. An IPsec policy

is uniquely identified by its name and sequence number.
IPsec policies fall into two categories:

•

Manual IPsec policy—The parameters are configured manually, such as the keys, the SPIs, and the
IP addresses of the two ends in tunnel mode.

•

IPsec policy that uses IKE—The parameters are automatically negotiated through IKE.

This section describes how to configure a manual IPsec policy.

Configuration guidelines

To configure an IPsec policy that uses IKE, use either of the following methods:

•

Directly configure it by configuring the parameters in IPsec policy view.

•

Configure it by referencing an existing IPsec policy template with the parameters to be negotiated
configured. A device referencing an IPsec policy that is configured in this way cannot initiate SA

negotiation but can respond to a negotiation request. The parameters not defined in the template

will be determined by the initiator. This approach applies to scenarios where the remote end's
information, such as the IP address, is unknown.

The parameters configurable for an IPsec policy template are the same as those you configure when

directly configuring an IPsec policy that uses IKE. The difference is that more parameters are optional: