Configuring a manual IPsec policy
In a manual IPsec policy, the parameters are configured manually, such as the keys, the SPIs, and the IP addresses of the two ends in tunnel mode.
Restrictions and guidelines
When you configure a manual IPsec policy, make sure the IPsec configuration at both ends of the IPsec tunnel meets the following requirements:
The IPsec policies at the two ends must have IPsec transform sets that use the same security protocols, security algorithms, and encapsulation mode.
The remote IPv4 address configured on the local end must be the same as the primary IPv4 address of the interface applied with the IPsec policy at the remote end. The remote IPv6 address configured on the local end must be the same as the first IPv6 address of the interface applied with the IPsec policy at the remote end.
At each end, configure parameters for both the inbound SA and the outbound SA, and make sure the SAs in each direction are unique: For an outbound SA, make sure its triplet (remote IP address, security protocol, and SPI) is unique. For an inbound SA, make sure its SPI is unique.
The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the local outbound SA and remote inbound SA.
The keys for the IPsec SAs at the two tunnel ends must be configured in the same format. For example, if the local end uses a key in hexadecimal format, the remote end must also use a key in hexadecimal format. If you configure a key in both the character and the hexadecimal formats, only the most recent configuration takes effect.
If you configure a key in character format for ESP, the device automatically generates an authentication key and an encryption key for ESP.
Procedure
Enter system view.
system-view
Create a manual IPsec policy entry and enter its view.
ipsec { ipv6-policy | policy } policy-name seq-number manual
(Optional.) Configure a description for the IPsec policy.
description text
By default, no description is configured.
Specify an ACL for the IPsec policy.
security acl [ ipv6 ] { acl-number | name acl-name }
By default, no ACL is specified for an IPsec policy.
You can specify only one ACL for an IPsec policy.
Specify an IPsec transform set for the IPsec policy.
transform-set transform-set-name
By default, no IPsec transform set is specified for an IPsec policy.
You can specify only one IPsec transform set for a manual IPsec policy.
Specify the remote IP address of the IPsec tunnel.
remote-address { ipv4-address | ipv6 ipv6-address }
By default, the remote IP address of the IPsec tunnel is not specified.
Configure an SPI for the inbound IPsec SA.
sa spi inbound { ah | esp } spi-number
By default, no SPI is configured for the inbound IPsec SA.
Configure an SPI for the outbound IPsec SA.
sa spi outbound { ah | esp } spi-number
By default, no SPI is configured for the outbound IPsec SA.
Configure keys for the IPsec SA.
Configure an authentication key in hexadecimal format for AH.
sa hex-key authentication { inbound | outbound } ah { cipher | simple } string
Configure an authentication key in character format for AH.
sa string-key { inbound | outbound } ah { cipher | simple } string
Configure a key in character format for ESP.
sa string-key { inbound | outbound } esp { cipher | simple } string
Configure an authentication key in hexadecimal format for ESP.
sa hex-key authentication { inbound | outbound } esp { cipher | simple }
Configure an encryption key in hexadecimal format for ESP.
sa hex-key encryption { inbound | outbound } esp { cipher | simple } string
By default, no keys are configured for the IPsec SA.
Configure keys correctly for the security protocol (AH, ESP, or both) you have specified in the IPsec transform set used by the IPsec policy.