Configuring an IPsec policy
IPsec policies define which IPsec transform sets should be used to protect which data flows. An IPsec policy is uniquely identified by its name and sequence number.
IPsec policies fall into two categories:
Manual IPsec policy—The parameters are configured manually, such as the keys, the SPIs, and the IP addresses of the two ends in tunnel mode.
IKE-based IPsec policy—The parameters are automatically negotiated through IKE. (Available only in FIPS mode.)
Configuring a manual IPsec policy
To guarantee successful SA negotiations, follow these guidelines when configuring manual IPsec policies at the two ends of an IPsec tunnel:
The IPsec policies at the two ends must have IPsec transform sets that use the same security protocols, security algorithms, and encapsulation mode.
The remote IP address configured on the local end must be the same as the IP address of the remote end.
At each end, configure parameters for both the inbound SA and the outbound SA, and make sure that different SAs use different SPIs. SPIs for the SAs in the same direction must be different.
The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the local outbound SA and remote inbound SA.
The keys for the local and remote inbound and outbound SAs must be in the same format. For example, if the local inbound SA uses a key in characters, the local outbound SA and remote inbound and outbound SAs must use keys in characters.
Follow these guidelines when you configure an IPsec policy for an IPv6 routing protocol:
You do not need to configure ACLs or IPsec tunnel addresses.
Within a certain routed network scope, the SAs on all devices must use the same SPI and keys. For OSPFv3, the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be directly connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a peer group.
All SAs (both inbound and outbound) within the routed network scope must use the same SPI and keys.
Configure the keys on all routers within the routed network scope in the same format. For example, if you enter the keys in hexadecimal format on one router, do so across the routed network scope.
Before you configure a manual IPsec policy, configure ACLs used for identifying protected traffic and IPsec transform sets. ACLs are not required for IPsec policies for an IPv6 protocol.
To configure a manual IPsec policy:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Create a manual IPsec policy and enter its view. | ipsec policy policy-name seq-number manual | By default, no IPsec policy exists. |
3. Assign an ACL to the IPsec policy. | security acl acl-number | Not needed for IPsec policies to be applied to IPv6 routing protocols and required for other applications. By default, an IPsec policy references no ACL. An IPsec policy can reference only one ACL. If you specify multiple ACLs for an IPsec policy, only the last specified ACL takes effect. |
4. Assign an IPsec transform set to the IPsec policy. | transform-set transform-set-name | By default, an IPsec policy references no IPsec transform set. A manual IPsec policy can reference only one IPsec transform set. To change an IPsec transform set for an IPsec policy, you must remove the current reference first. |
5. Configure the two ends of the IPsec tunnel. |
| Configuring the local address of the tunnel is not needed for IPsec policies to be applied to IPv6 routing protocols and required for other applications. Configuring the remote address of the tunnel is required. Both the local and remote addresses are not configured by default. |
6. Configure an SPI for an SA. | sa spi { inbound | outbound } { ah | esp } spi-number | By default, no SPI is configured for an SA. |
7. Configure keys for the SA. |
| Configure keys properly for the security protocol (AH or ESP) you have specified. If you configure a key in two modes (in characters and in hexadecimal), only the last configured one will be used. If you configure a key in characters for ESP, the device automatically generates an authentication key and an encryption key for ESP. The sa string-key command is not supported in FIPS mode. |
![[NOTE: ]](images/note.png) | NOTE: You cannot change the creation mode of an IPsec policy from manual to through IKE, or vice versa. To create an IKE-based IPsec policy, delete the manual IPsec policy, and then use IKE to configure an IPsec policy. | |
Configuring an IKE-based IPsec policy (available only in FIPS mode)
To configure an IKE-based IPsec policy, directly configure it by configuring the parameters in IPsec policy view.
Before you configure an IKE-based IPsec policy, configure the ACLs and the IKE peer for the IPsec policy.
The parameters for the local and remote ends must match.
When you configure an IKE-based IPsec policy, follow these guidelines:
An IPsec policy can reference only one ACL. If you apply multiple ACLs to an IPsec policy, only the last one takes effect.
With SAs to be established through IKE negotiation, an IPsec policy can reference up to six IPsec transform sets. During negotiation, IKE searches for a fully matched IPsec transform set at the two ends of the expected IPsec tunnel. If no match is found, no SA can be set up and the packets expecting to be protected will be dropped.
During IKE negotiation for an IPsec policy with PFS enabled, an additional key exchange is performed. If the local end uses PFS, the remote end must also use PFS for negotiation and both ends must use the same Diffie-Hellman (DH) group; otherwise, the negotiation will fail.
An SA uses the global lifetime settings when it is not configured with lifetime settings in IPsec policy view. When negotiating to set up SAs, IKE uses the local lifetime settings or those proposed by the peer, whichever are smaller.
You cannot change the creation mode of an IPsec policy directly. To create an IPsec policy in another creation mode, delete the current one and then configure a new IPsec policy.
To directly configure an IKE-based IPsec policy:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Create an IKE-based IPsec policy and enter its view. | ipsec policy policy-name seq-number isakmp | By default, no IPsec policy exists. |
3. Configure an IPsec connection name. | connection-name name | Optional. By default, no IPsec connection name is configured. |
4. Assign an ACL to the IPsec policy. | security acl acl-number | By default, an IPsec policy references no ACL. An IPsec policy can reference only one ACL. If you specify multiple ACLs for an IPsec policy, only the last specified ACL takes effect. |
5. Assign IPsec transform sets to the IPsec policy. | transform-set transform-set-name&<1-6> | By default, an IPsec policy references no IPsec transform set. |
6. Specify an IKE peer for the IPsec policy. | ike-peer peer-name | An IPsec policy cannot reference any IKE peer that is already referenced by an IPsec profile, and vice versa. |
7. Enable and configure the perfect forward secrecy feature for the IPsec policy. | pfs dh-group14 | Optional. By default, the PFS feature is not used for negotiation. For more information about PFS, see "Configuring IKE." |
8. Set the SA lifetime. | sa duration { time-based seconds | traffic-based kilobytes } | Optional. By default, the global SA lifetime is used. |
9. Enable the IPsec policy. | policy enable | Optional. Enabled by default. |
10. Return to system view. | quit | N/A |
11. Set the global SA lifetime. | ipsec sa global-duration { time-based seconds | traffic-based kilobytes } | Optional. 3600 seconds for time-based SA lifetime by default. 1843200 kilobytes for traffic-based SA lifetime by default. |
With SAs to be established through IKE negotiation, an IPsec policy can reference up to six IPsec transform sets. During negotiation, IKE searches for a fully matched IPsec transform set at the two ends of the expected IPsec tunnel. If no match is found, no SA can be set up and the packets expecting to be protected will be dropped.
During IKE negotiation for an IPsec policy with PFS enabled, an additional key exchange is performed. If the local end uses PFS, the remote end must also use PFS for negotiation and both ends must use the same DH group. Otherwise, the negotiation will fail.
An SA uses the global lifetime settings when it is not configured with lifetime settings in IPsec policy view. When negotiating to set up SAs, IKE uses the local lifetime settings or those proposed by the peer, whichever are smaller.
You cannot change the creation mode of an IPsec policy from IKE to manual, or vice versa. To create a manual IPsec policy, delete the IKE-mode IPsec policy, and then configure the manual IPsec policy.