Configuring an IKE-based IPsec policy
In an IKE-based IPsec policy, the parameters are automatically negotiated through IKE.
To configure an IKE-based IPsec policy, use one of the following methods:
Directly configure it by configuring the parameters in IPsec policy view.
Configure it by using an existing IPsec policy template with the parameters to be negotiated configured.
A device using an IPsec policy that is configured in this way cannot initiate an SA negotiation, but it can respond to a negotiation request. The parameters not defined in the template are determined by the initiator. When the remote end's information (such as the IP address) is unknown, this method allows the remote end to initiate negotiations with the local end.
Configuration restrictions and guidelines
When you configure an IKE-based IPsec policy, follow these restrictions and guidelines:
The IPsec policies at the two tunnel ends must have IPsec transform sets that use the same security protocols, security algorithms, and encapsulation mode.
The IPsec policies at the two tunnel ends must have the same IKE profile parameters.
An IKE-based IPsec policy can use a maximum of six IPsec transform sets. During an IKE negotiation, IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no match is found, no SA can be set up, and the packets expecting to be protected will be dropped.
The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is optional on the responder. The remote IP address specified on the local end must be the same as the local IP address specified on the remote end.
The IPsec SA uses the local lifetime settings or those proposed by the peer, whichever are smaller.
The IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires when either lifetime expires.
Directly configuring an IKE-based IPsec policy
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Create an IKE-based IPsec policy entry and enter its view. | ipsec { ipv6-policy | policy } policy-name seq-number isakmp | By default, no IPsec policies exist. |
3. (Optional.) Configure a description for the IPsec policy. | description text | By default, no description is configured. |
4. Specify an ACL for the IPsec policy. | security acl { acl-number | name acl-name } [ aggregation | per-host ] | By default, no ACL is specified for an IPsec policy. You can specify only one ACL for an IPsec policy. |
5. Specify IPsec transform sets for the IPsec policy. | transform-set transform-set-name&<1-6> | By default, no IPsec transform sets are specified for an IPsec policy. |
6. Specify an IKE profile for the IPsec policy. | ike-profile profile-name | By default, no IKE profile is specified for an IPsec policy. You can specify only one IKE profile for an IPsec policy. For more information about IKE profiles, see "Configuring IKE." |
7. Specify an IKEv2 profile for the IPsec policy. | ikev2-profile profile-name | By default, no IKEv2 profile is specified for the IPsec policy. You can specify only one IKEv2 profile for an IPsec policy. For more information about IKEv2 profiles, see "Configuring IKEv2." |
8. Specify the local IP address of the IPsec tunnel. | local-address ipv4-address | By default, the local IPv4 address of IPsec tunnel is the primary IPv4 address of the interface to which the IPsec policy is applied, and the local IPv6 address of the IPsec tunnel is the first IPv6 address of the interface to which the IPsec policy is applied. The local IP address specified by this command must be the same as the IP address used as the local IKE identity. In a VRRP network, the local IP address must be the virtual IP address of the VRRP group to which the IPsec-applied interface belongs. |
9. Specify the remote IP address of the IPsec tunnel. | remote-address { host-name | ipv4-address } | By default, the remote IP address of the IPsec tunnel is not specified. |
10. (Optional.) Set the IPsec SA lifetime. | sa duration { time-based seconds | traffic-based kilobytes } | By default, the global SA lifetime is used. |
11. (Optional.) Set the IPsec SA idle timeout. | sa idle-time seconds | By default, the global SA idle timeout is used. |
12. (Optional.) Enable the Traffic Flow Confidentiality (TFC) padding feature. | tfc enable | By default, the TFC padding feature is disabled. |
13. Return to system view. | quit | N/A |
14. Set the global SA lifetime. | ipsec sa global-duration { time-based seconds | traffic-based kilobytes } | By default, the time-based SA lifetime is 3600 seconds, and the traffic-based SA lifetime is 1843200 kilobytes. |
15. (Optional.) Enable the global IPsec SA idle timeout feature, and set the global SA idle timeout. | ipsec sa idle-time seconds | By default, the global IPsec SA idle timeout feature is disabled. |
Configuring an IKE-based IPsec policy by using an IPsec policy template
The configurable parameters for an IPsec policy template are the same as those when you directly configure an IKE-based IPsec policy. The difference is that more parameters are optional for an IPsec policy template. Except the IPsec transform sets and the IKE profile, all other parameters are optional.
A device using an IPsec policy that is configured by using an IPsec policy template cannot initiate an SA negotiation, but it can respond to a negotiation request. The parameters not defined in the template are determined by the initiator. For example, in an IPsec policy template, the ACL is optional. If you do not specify an ACL, the IPsec protection range has no limit. So the device accepts all ACL settings of the negotiation initiator. When the remote end's information (such as the IP address) is unknown, the IPsec policy configured by using this method allows the remote end to initiate negotiations with the local end.
To configure an IKE-based IPsec policy by using an IPsec policy template:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Create an IPsec policy template and enter its view. | ipsec { ipv6-policy-template | policy-template } template-name seq-number | By default, no IPsec policy templates exist. |
3. (Optional.) Configure a description for the IPsec policy template. | description text | By default, no description is configured. |
4. (Optional.) Specify an ACL for the IPsec policy template. | security acl { acl-number | name acl-name } [ aggregation | per-host ] | By default, no ACL is specified for an IPsec policy template. You can specify only one ACL for an IPsec policy template. |
5. Specify IPsec transform sets for the IPsec policy template. | transform-set transform-set-name&<1-6> | By default, no IPsec transform sets are specified for an IPsec policy template. |
6. Specify an IKE profile for the IPsec policy. | ike-profile profile-name | By default, no IKE profile is specified for the IPsec policy template. You can specify only one IKE profile for an IPsec policy template and the IKE profile cannot be used by another IPsec policy template or IPsec policy. For more information about IKE profiles, see "Configuring IKE." |
7. Specify an IKEv2 profile for the IPsec policy template. | ikev2-profile profile-name | By default, no IKEv2 profile is specified for the IPsec policy template. You can specify only one IKEv2 profile for an IPsec policy template. For more information about IKEv2 profiles, see "Configuring IKEv2." |
8. (Optional.) Specify the local IP address of the IPsec tunnel. | local-address ipv4-address | By default, the local IPv4 address of IPsec tunnel is the primary IPv4 address of the interface to which the IPsec policy is applied, and the local IPv6 address of the IPsec tunnel is the first IPv6 address of the interface to which the IPsec policy is applied. The local IP address specified by this command must be the same as the IP address used as the local IKE identity. In a VRRP network, the local IP address must be the virtual IP address of the VRRP group to which the IPsec-applied interface belongs. |
9. (Optional.) Specify the remote IP address of the IPsec tunnel. | remote-address { host-name | ipv4-address } | By default, the remote IP address of the IPsec tunnel is not specified. |
10. (Optional.) Configure the IPsec SA lifetime. | sa duration { time-based seconds | traffic-based kilobytes } | By default, the global SA lifetime settings are used. |
11. (Optional.) Set the IPsec SA idle timeout. | sa idle-time seconds | By default, the global SA idle timeout is used. |
12. (Optional.) Enable the Traffic Flow Confidentiality (TFC) padding feature. | tfc enable | By default, the TFC padding feature is disabled. |
13. Return to system view. | quit | N/A |
14. Configure the global SA lifetime. | ipsec sa global-duration { time-based seconds | traffic-based kilobytes } | By default, time-based SA lifetime is 3600 seconds, and traffic-based SA lifetime is 1843200 kilobytes. |
15. (Optional.) Enable the global IPsec SA idle timeout feature, and set the global SA idle timeout. | ipsec sa idle-time seconds | By default, the global IPsec SA idle timeout feature is disabled. |
16. Create an IPsec policy by using the IPsec policy template. | ipsec { ipv6-policy | policy } policy-name seq-number isakmp template template-name | By default, no IPsec policies exist. |