Configuring an IKE-based IPsec policy
About IKE-based IPsec policy configuration
In an IKE-based IPsec policy, the parameters are automatically negotiated through IKE.
To configure an IKE-based IPsec policy, use one of the following methods:
Directly configure it by configuring the parameters in IPsec policy view.
Configure it by using an existing IPsec policy template with the parameters to be negotiated configured.
A device using an IPsec policy that is configured in this way cannot initiate an SA negotiation, but it can respond to a negotiation request. The parameters not defined in the template are determined by the initiator. For example, in an IPsec policy template, the ACL is optional. If you do not specify an ACL, the IPsec protection range has no limit. So the device accepts all ACL settings of the negotiation initiator.
When the remote end's information (such as the IP address) is unknown, this method allows the remote end to initiate negotiations with the local end.
The configurable parameters for an IPsec policy template are the same as those when you directly configure an IKE-based IPsec policy. The difference is that more parameters are optional for an IPsec policy template. Except the IPsec transform sets and the IKE profile, all other parameters are optional.
Restrictions and guidelines for IKE-based IPsec policy configuration
The IPsec policies at the two tunnel ends must have IPsec transform sets that use the same security protocols, security algorithms, and encapsulation mode.
The IPsec policies at the two tunnel ends must have the same IKE profile parameters.
An IKE-based IPsec policy can use a maximum of six IPsec transform sets. During an IKE negotiation, IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no match is found, no SA can be set up, and the packets expecting to be protected will be dropped.
The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is optional on the responder. The remote IP address specified on the local end must be the same as the local IP address specified on the remote end.
The IPsec SA uses the local lifetime settings or those proposed by the peer, whichever are smaller.
The IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires when either lifetime expires.
If you specify both an IKEv1 profile and an IKEv2 profile for an IPsec policy, the IKEv2 profile is used preferentially. For more information about IKEv1 and IKEv2 profiles, see "Configuring IKE" and "Configuring IKEv2."
Directly configuring an IKE-based IPsec policy
Enter system view.
system-view
Create an IKE-based IPsec policy entry and enter its view.
ipsec { ipv6-policy | policy } policy-name seq-number isakmp
(Optional.) Configure a description for the IPsec policy.
description text
By default, no description is configured.
Specify an ACL for the IPsec policy.
security acl [ ipv6 ] { acl-number | name acl-name } [ aggregation | per-host ]
By default, no ACL is specified for an IPsec policy.
You can specify only one ACL for an IPsec policy.
Specify IPsec transform sets for the IPsec policy.
transform-set transform-set-name&<1-6>
By default, no IPsec transform sets are specified for an IPsec policy.
Specify an IKE profile or IKEv2 profile for the IPsec policy.
Specify an IKE profile.
ike-profile profile-name
By default, no IKE profile is specified for an IPsec policy.
Specify an IKEv2 profile.
ikev2-profile profile-name
By default, no IKEv2 profile is specified for an IPsec policy.
Specify the local IP address of the IPsec tunnel.
local-address { ipv4-address | ipv6 ipv6-address }
By default, the local IPv4 address of the IPsec tunnel is the primary IPv4 address of the interface to which the IPsec policy is applied. The local IPv6 address of the IPsec tunnel is the first IPv6 address of the interface to which the IPsec policy is applied.
The local IP address specified by this command must be the same as the IP address used as the local IKE identity.
In a VRRP network, the local IP address must be the virtual IP address of the VRRP group to which the IPsec-applied interface belongs.
Specify the remote IP address of the IPsec tunnel.
remote-address { [ ipv6 ] host-name | ipv4-address | ipv6 ipv6-address }
By default, the remote IP address of the IPsec tunnel is not specified.
(Optional.) Set the lifetime or idle timeout for the IPsec SA.
Set the IPsec SA lifetime.
sa duration { time-based seconds | traffic-based kilobytes }
By default, the global SA lifetime is used.
Set the IPsec SA idle timeout.
sa idle-time seconds
By default, the global IPsec SA idle timeout is used.
(Optional.) Enable the Traffic Flow Confidentiality (TFC) padding feature.
tfc enable
By default, the TFC padding feature is disabled.
Configuring an IKE-based IPsec policy by using an IPsec policy template
Enter system view.
system-view
Create an IPsec policy template and enter its view.
ipsec { ipv6-policy-template | policy-template } template-name seq-number
(Optional.) Configure a description for the IPsec policy template.
description text
By default, no description is configured.
(Optional.) Specify an ACL for the IPsec policy template.
security acl [ ipv6 ] { acl-number | name acl-name } [ aggregation | per-host ]
By default, no ACL is specified for an IPsec policy template.
You can specify only one ACL for an IPsec policy template.
Specify IPsec transform sets for the IPsec policy template.
transform-set transform-set-name&<1-6>
By default, no IPsec transform sets are specified for an IPsec policy template.
Specify an IKE profile or IKEv2 profile for the IPsec policy template.
Specify an IKE profile.
ike-profile profile-name
By default, no IKE profile is specified for an IPsec policy template.
Make sure the specified IKE profile is not used by another IPsec policy or IPsec policy template.
Specify an IKEv2 profile.
ikev2-profile profile-name
By default, no IKEv2 profile is specified for an IPsec policy template.
Specify the local IP address of the IPsec tunnel.
local-address { ipv4-address | ipv6 ipv6-address }
The default local IPv4 address and IPv6 address is the primary IPv4 address and first IPv6 address of the interface where the IPsec policy is applied.
The local IP address specified by this command must be the same as the IP address used as the local IKE identity.
In a VRRP network, the local IP address must be the virtual IP address of the VRRP group to which the IPsec-applied interface belongs.
Specify the remote IP address of the IPsec tunnel.
remote-address { [ ipv6 ] host-name | ipv4-address | ipv6 ipv6-address }
By default, the remote IP address of the IPsec tunnel is not specified.
(Optional.) Set the lifetime and idle timeout for the IPsec SA.
Set the IPsec SA lifetime.
sa duration { time-based seconds | traffic-based kilobytes }
By default, the global SA lifetime is used.
Set the IPsec SA idle timeout.
sa idle-time seconds
By default, the global IPsec SA idle timeout is used.
(Optional.) Enable the Traffic Flow Confidentiality (TFC) padding feature.
tfc enable
By default, the TFC padding feature is disabled.
Return to system view.
quit
Create an IPsec policy by using the IPsec policy template.
ipsec { ipv6-policy | policy } policy-name seq-number isakmp template template-name