Configuring a manual IPsec policy
In a manual IPsec policy, the parameters are configured manually, such as the keys, the SPIs, and the IP addresses of the two ends in tunnel mode.
Configuration restrictions and guidelines
Make sure the IPsec configuration at the two ends of an IPsec tunnel meets the following requirements:
The IPsec policies at the two ends must have IPsec transform sets that use the same security protocols, security algorithms, and encapsulation mode.
The remote IPv4 address configured on the local end must be the same as the primary IPv4 address of the interface applied with the IPsec policy at the remote end. The remote IPv6 address configured on the local end must be the same as the first IPv6 address of the interface applied with the IPsec policy at the remote end.
At each end, configure parameters for both the inbound SA and the outbound SA, and make sure the SAs in each direction are unique: For an outbound SA, make sure its triplet (remote IP address, security protocol, and SPI) is unique. For an inbound SA, make sure its SPI is unique.
The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the local outbound SA and remote inbound SA.
The keys for the local and remote inbound and outbound SAs must be in the same format. For example, if the local inbound SA uses a key in characters, the local outbound SA and remote inbound and outbound SAs must use keys in characters.
Configuration procedure
To configure a manual IPsec policy:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Create a manual IPsec policy entry and enter its view. | ipsec { ipv6-policy | policy } policy-name seq-number manual | By default, no IPsec policy exists. |
3. (Optional.) Configure a description for the IPsec policy. | description text | By default, no description is configured. |
4. Specify an ACL for the IPsec policy. | security acl [ ipv6 ] { acl-number | name acl-name } | By default, no ACL is specified for an IPsec policy. You can specify only one ACL for an IPsec policy. |
5. Specify an IPsec transform set for the IPsec policy. | transform-set transform-set-name | By default, no IPsec transform set is specified for an IPsec policy. You can specify only one IPsec transform set for a manual IPsec policy. |
6. Specify the remote IP address of the IPsec tunnel. | remote-address { ipv4-address | ipv6 ipv6-address } | By default, the remote IP address of the IPsec tunnel is not specified. The local IPv4 address of the IPsec tunnel is the primary IPv4 address of the interface to which the IPsec policy is applied. The local IPv6 address of the IPsec tunnel is the first IPv6 address of the interface to which the IPsec policy is applied. |
7. Configure an SPI for the inbound or outbound IPsec SA. |
| By default, no SPI is configured for the inbound or outbound IPsec SA. |
8. Configure keys for the IPsec SA. |
| By default, no keys are configured for the IPsec SA. Configure keys correctly for the security protocol (AH, ESP, or both) you have specified in the IPsec transform set used by the IPsec policy. If you configure a key in both the character and the hexadecimal formats, only the most recent configuration takes effect. If you configure a key in character format for ESP, the device automatically generates an authentication key and an encryption key for ESP. |