Configuring a manual IPsec policy

In a manual IPsec policy, the parameters are configured manually, such as the keys, the SPIs, and the IP addresses of the two ends in tunnel mode.

Restrictions and guidelines

When you configure a manual IPsec policy, make sure the IPsec configuration at both ends of the IPsec tunnel meets the following requirements:

Procedure

  1. Enter system view.

    system-view

  2. Create a manual IPsec policy entry and enter its view.

    ipsec { ipv6-policy | policy } policy-name seq-number manual

  3. (Optional.) Configure a description for the IPsec policy.

    description text

    By default, no description is configured.

  4. Specify an ACL for the IPsec policy.

    security acl [ ipv6 ] { acl-number | name acl-name }

    By default, no ACL is specified for an IPsec policy.

    You can specify only one ACL for an IPsec policy.

  5. Specify an IPsec transform set for the IPsec policy.

    transform-set transform-set-name

    By default, no IPsec transform set is specified for an IPsec policy.

    You can specify only one IPsec transform set for a manual IPsec policy.

  6. Specify the remote IP address of the IPsec tunnel.

    remote-address { ipv4-address | ipv6 ipv6-address }

    By default, the remote IP address of the IPsec tunnel is not specified.

  7. Configure an SPI for the inbound IPsec SA.

    sa spi inbound { ah | esp } spi-number

    By default, no SPI is configured for the inbound IPsec SA.

  8. Configure an SPI for the outbound IPsec SA.

    sa spi outbound { ah | esp } spi-number

    By default, no SPI is configured for the outbound IPsec SA.

  9. Configure keys for the IPsec SA.

    • Configure an authentication key in hexadecimal format for AH.

      sa hex-key authentication { inbound | outbound } ah { cipher | simple } string

    • Configure an authentication key in character format for AH.

      sa string-key { inbound | outbound } ah { cipher | simple } string

    • Configure a key in character format for ESP.

      sa string-key { inbound | outbound } esp { cipher | simple } string

    • Configure an authentication key in hexadecimal format for ESP.

      sa hex-key authentication { inbound | outbound } esp { cipher | simple }

    • Configure an encryption key in hexadecimal format for ESP.

      sa hex-key encryption { inbound | outbound } esp { cipher | simple } string

    By default, no keys are configured for the IPsec SA.

    Configure keys correctly for the security protocol (AH, ESP, or both) you have specified in the IPsec transform set used by the IPsec policy.