Configuring a manual IPsec profile

An IPsec profile is similar to an IPsec policy. The difference is that an IPsec profile is uniquely identified by a name and it does not support ACL configuration. An IPsec profile defines the IPsec transform set used for protecting data flows, and specifies SPIs and the keys used by the SAs.

The IPsec profile configurations at the two tunnel ends must meet the following requirements:

The IPsec transform set used by the IPsec profile at the two tunnel ends must have the same security protocol, encryption and authentication algorithms, and packet encapsulation mode.
The local inbound and outbound IPsec SAs must have the same SPI and key.
- The IPsec SAs on the devices in the same scope must have the same key. The scope is defined by protocols. For RIPng, the scope consists of directly-connected neighbors or a RIPng process.
The keys for the IPsec SAs at the two tunnel ends must be configured in the same format. For example, if the key at one end is entered as a string of characters, the key on the other end must also be entered as a string of characters.

To configure a manual IPsec profile:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a manual IPsec profile and enter its view.	ipsec profile profile-name manual	By default, no IPsec profile exists. The manual keyword is not needed if you enter the view of an existing IPsec profile.
3. (Optional.) Configure a description for the IPsec profile.	description text	By default, no description is configured.
4. Specify an IPsec transform set for the IPsec profile.	transform-set transform-set-name	By default, no IPsec transform set is specified for an IPsec profile. The specified IPsec transform set must use the transport mode.
5. Configure an SPI for an SA.	sa spi { inbound \| outbound } { ah \| esp } spi-number	By default, no SPI is configured for an SA.
6. Configure keys for the IPsec SA.	Configure an authentication key in hexadecimal format for AH:sa hex-key authentication { inbound \| outbound } ah { cipher \| simple } key-value Configure an authentication key in character format for AH:sa string-key { inbound \| outbound } ah { cipher \| simple } key-value Configure a key in character format for ESP:sa string-key { inbound \| outbound } esp [ cipher \| simple ] key-value Configure an authentication key in hexadecimal format for ESP:sa hex-key authentication { inbound \| outbound } esp { cipher \| simple } key-value Configure an encryption key in hexadecimal format for ESP:sa hex-key encryption { inbound \| outbound } esp { cipher \| simple } key-value		By default, no keys are configured for the IPsec SA. Configure a key for the security protocol (AH, ESP, or both) you have specified. If you configure a key in character format for ESP, the device automatically generates an authentication key and an encryption key for ESP. If you configure a key in both the character and hexadecimal formats, only the most recent configuration takes effect.

prev	up	next
Configuration task list	home	Configuring SNMP notifications for IPsec