H3C Technologies H3C SecPath F1000-E User Manual
Page 199
187
Before configuring an IPsec profile, complete the following tasks:
•
IPsec proposal configuration. For more information, see "
•
IKE peer configuration. For more information, see "Configuring IKE."
The parameters for the local and remote ends must match.
NOTE:
•
During an IKE negotiation based on an IPsec profile, the source and destination addresses of the IPsec
tunnel interface are used as the local and remote addresses; the local-address and remote-address
commands configured for IKE negotiation do not take effect.
•
If you do not configure the destination address of the IPsec tunnel interface, the local peer can only be
an IKE negotiation responder; it cannot initiate an IKE negotiation.
To configure an IPsec profile:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Create an IPsec profile and
enter its view.
ipsec profile profile-name
By default, no IPsec profile exists.
3.
Specify the IPsec proposals for
the IPsec profile to reference. proposal proposal-name&<1-6>
By default, an IPsec profile
references no IPsec proposals.
4.
Specify the IKE peer for the
IPsec profile to reference.
ike-peer peer-name
An IPsec profile cannot reference
any IKE peer that is already
referenced by an IPsec policy, and
vice versa.
5.
Enable and configure the PFS
feature for the IPsec profile.
pfs { dh-group1 | dh-group2 |
dh-group5 | dh-group14 }
Optional.
By default, the PFS feature is not
used. In FIPS mode, the firewall
does not support the dh-group1
keyword.
For more information about PFS,
see "Configuring IKE."
6.
Set the SA lifetime.
sa duration { time-based seconds |
traffic-based kilobytes }
Optional.
By default, the SA lifetime of an
IPsec profile equals the current
global SA lifetime.
7.
Set the anti-replay information
synchronization intervals in
IPsec stateful failover mode.
synchronization
anti-replay-interval inbound
inbound-number outbound
outbound-number
Optional.
By default, the inbound anti-replay
window information is
synchronized whenever 1000
packets are received, and the
outbound anti-replay sequence
number is synchronized whenever
100000 packets are sent.
8.
Return to system view.
quit
N/A
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS