Configuring an IKE-based IPsec policy

In an IKE-based IPsec policy, the parameters are automatically negotiated through IKE.

To configure an IKE-based IPsec policy, use one of the following methods:

Configuration restrictions and guidelines

When you configure an IKE-based IPsec policy, follow these restrictions and guidelines:

Directly configuring an IKE-based IPsec policy

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create an IKE-based IPsec policy entry and enter its view.

ipsec { ipv6-policy | policy } policy-name seq-number isakmp

By default, no IPsec policies exist.

3. (Optional.) Configure a description for the IPsec policy.

description text

By default, no description is configured.

4. Specify an ACL for the IPsec policy.

security acl { acl-number | name acl-name } [ aggregation | per-host ]

By default, no ACL is specified for an IPsec policy.

You can specify only one ACL for an IPsec policy.

5. Specify IPsec transform sets for the IPsec policy.

transform-set transform-set-name&<1-6>

By default, no IPsec transform sets are specified for an IPsec policy.

6. Specify an IKE profile for the IPsec policy.

ike-profile profile-name

By default, no IKE profile is specified for an IPsec policy.

You can specify only one IKE profile for an IPsec policy.

For more information about IKE profiles, see "Configuring IKE."

7. Specify an IKEv2 profile for the IPsec policy.

ikev2-profile profile-name

By default, no IKEv2 profile is specified for the IPsec policy.

You can specify only one IKEv2 profile for an IPsec policy.

For more information about IKEv2 profiles, see "Configuring IKEv2."

8. Specify the local IP address of the IPsec tunnel.

local-address ipv4-address

By default, the local IPv4 address of IPsec tunnel is the primary IPv4 address of the interface to which the IPsec policy is applied, and the local IPv6 address of the IPsec tunnel is the first IPv6 address of the interface to which the IPsec policy is applied.

The local IP address specified by this command must be the same as the IP address used as the local IKE identity.

In a VRRP network, the local IP address must be the virtual IP address of the VRRP group to which the IPsec-applied interface belongs.

9. Specify the remote IP address of the IPsec tunnel.

remote-address { host-name | ipv4-address }

By default, the remote IP address of the IPsec tunnel is not specified.

10. (Optional.) Set the IPsec SA lifetime.

sa duration { time-based seconds | traffic-based kilobytes }

By default, the global SA lifetime is used.

11. (Optional.) Set the IPsec SA idle timeout.

sa idle-time seconds

By default, the global SA idle timeout is used.

12. (Optional.) Enable the Traffic Flow Confidentiality (TFC) padding feature.

tfc enable

By default, the TFC padding feature is disabled.

13. Return to system view.

quit

N/A

14. Set the global SA lifetime.

ipsec sa global-duration { time-based seconds | traffic-based kilobytes }

By default, the time-based SA lifetime is 3600 seconds, and the traffic-based SA lifetime is 1843200 kilobytes.

15. (Optional.) Enable the global IPsec SA idle timeout feature, and set the global SA idle timeout.

ipsec sa idle-time seconds

By default, the global IPsec SA idle timeout feature is disabled.

Configuring an IKE-based IPsec policy by using an IPsec policy template

The configurable parameters for an IPsec policy template are the same as those when you directly configure an IKE-based IPsec policy. The difference is that more parameters are optional for an IPsec policy template. Except the IPsec transform sets and the IKE profile, all other parameters are optional.

A device using an IPsec policy that is configured by using an IPsec policy template cannot initiate an SA negotiation, but it can respond to a negotiation request. The parameters not defined in the template are determined by the initiator. For example, in an IPsec policy template, the ACL is optional. If you do not specify an ACL, the IPsec protection range has no limit. So the device accepts all ACL settings of the negotiation initiator. When the remote end's information (such as the IP address) is unknown, the IPsec policy configured by using this method allows the remote end to initiate negotiations with the local end.

To configure an IKE-based IPsec policy by using an IPsec policy template:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create an IPsec policy template and enter its view.

ipsec { ipv6-policy-template | policy-template } template-name seq-number

By default, no IPsec policy templates exist.

3. (Optional.) Configure a description for the IPsec policy template.

description text

By default, no description is configured.

4. (Optional.) Specify an ACL for the IPsec policy template.

security acl { acl-number | name acl-name } [ aggregation | per-host ]

By default, no ACL is specified for an IPsec policy template.

You can specify only one ACL for an IPsec policy template.

5. Specify IPsec transform sets for the IPsec policy template.

transform-set transform-set-name&<1-6>

By default, no IPsec transform sets are specified for an IPsec policy template.

6. Specify an IKE profile for the IPsec policy.

ike-profile profile-name

By default, no IKE profile is specified for the IPsec policy template.

You can specify only one IKE profile for an IPsec policy template and the IKE profile cannot be used by another IPsec policy template or IPsec policy.

For more information about IKE profiles, see "Configuring IKE."

7. Specify an IKEv2 profile for the IPsec policy template.

ikev2-profile profile-name

By default, no IKEv2 profile is specified for the IPsec policy template.

You can specify only one IKEv2 profile for an IPsec policy template.

For more information about IKEv2 profiles, see "Configuring IKEv2."

8. (Optional.) Specify the local IP address of the IPsec tunnel.

local-address ipv4-address

By default, the local IPv4 address of IPsec tunnel is the primary IPv4 address of the interface to which the IPsec policy is applied, and the local IPv6 address of the IPsec tunnel is the first IPv6 address of the interface to which the IPsec policy is applied.

The local IP address specified by this command must be the same as the IP address used as the local IKE identity.

In a VRRP network, the local IP address must be the virtual IP address of the VRRP group to which the IPsec-applied interface belongs.

9. (Optional.) Specify the remote IP address of the IPsec tunnel.

remote-address { host-name | ipv4-address }

By default, the remote IP address of the IPsec tunnel is not specified.

10. (Optional.) Configure the IPsec SA lifetime.

sa duration { time-based seconds | traffic-based kilobytes }

By default, the global SA lifetime settings are used.

11. (Optional.) Set the IPsec SA idle timeout.

sa idle-time seconds

By default, the global SA idle timeout is used.

12. (Optional.) Enable the Traffic Flow Confidentiality (TFC) padding feature.

tfc enable

By default, the TFC padding feature is disabled.

13. Return to system view.

quit

N/A

14. Configure the global SA lifetime.

ipsec sa global-duration { time-based seconds | traffic-based kilobytes }

By default, time-based SA lifetime is 3600 seconds, and traffic-based SA lifetime is 1843200 kilobytes.

15. (Optional.) Enable the global IPsec SA idle timeout feature, and set the global SA idle timeout.

ipsec sa idle-time seconds

By default, the global IPsec SA idle timeout feature is disabled.

16. Create an IPsec policy by using the IPsec policy template.

ipsec { ipv6-policy | policy } policy-name seq-number isakmp template template-name

By default, no IPsec policies exist.