Configuring an IKE-based IPsec profile
An IKE-based IPsec profile is similar to an IKE-based IPsec policy. The difference is that an IPsec profile is uniquely identified by a name and it does not support ACL configuration. An IKE-based IPsec profile specifies the IPsec transform sets used for protecting data flows, and the IKE profile used for IKE negotiation.
When you configure an IKE-based IPsec profile, follow these restrictions and guidelines:
The IPsec profiles at the two tunnel ends must have IPsec transform sets that use the same security protocols, security algorithms, and encapsulation mode.
The IPsec profiles at the two tunnel ends must have the same IKE profile parameters.
An IKE-based IPsec profile can use a maximum of six IPsec transform sets. During an IKE negotiation, IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no match is found, no SA can be set up, and the packets expecting to be protected will be dropped.
The IPsec SA uses the local lifetime settings or those proposed by the peer, whichever are smaller.
The IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires when either lifetime expires.
To configure an IKE-based IPsec profile:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Create an IKE-based IPsec profile and enter its view. | ipsec profile profile-name isakmp | By default, no IPsec profile exists. The isakmp keyword is not needed if you enter the view of an existing IPsec profile. |
3. (Optional.) Configure a description for the IPsec profile. | description text | By default, no description is configured. |
4. Specify IPsec transform sets. | transform-set transform-set-name&<1-6> | By default, no IPsec transform sets are specified in an IPsec profile. The specified IPsec transform sets must use the tunnel mode. |
5. Specify an IKE profile. | ike-profile profile-name | By default, no IKE profile is specified for an IPsec profile, and the device selects an IKE profile configured in system view for negotiation. If no IKE profile is configured in system view, the globally configured IKE settings are used. You can specify only one IKE profile for an IPsec profile. For more information about IKE profiles, see "Configuring IKE." |
6. (Optional.) Set the IPsec SA lifetime. | sa duration { time-based seconds | traffic-based kilobytes } | By default, the global SA lifetime is used. |
7. (Optional.) Set the IPsec SA idle timeout. | sa idle-time seconds | By default, the global SA idle timeout is used. |
8. Return to system view. | quit | N/A |
9. (Optional.) Set the global SA lifetime. | ipsec sa global-duration { time-based seconds | traffic-based kilobytes } | By default, the time-based SA lifetime is 3600 seconds, and the traffic-based SA lifetime is 1843200 kilobytes. |
10. (Optional.) Enable the global IPsec SA idle timeout feature, and set the global SA idle timeout. | ipsec sa idle-time seconds | By default, the global IPsec SA idle timeout feature is disabled. |