R3303-HP HSR6800 Routers Security Configuration Guide
255
Ste
p
Command
Remar
k
1. Enter system view.
system-view N/A
2. Create an IPsec policy that
uses IKE and enter its view.
ipsec policy policy-name
seq-number isakmp
By default, no IPsec policy exists.
3. Configure an IPsec connection
name.
connection-name name
Optional.
By default, no IPsec connection
name is configured.
4. Assign an ACL to the IPsec
policy.
security acl [ ipv6 ] acl-number
[ aggregation ]
By default, an IPsec policy does not
reference any ACL.
5. Assign IPsec transform sets to
the IPsec policy.
transform-set
transform-set-name&<1-6>
By default, an IPsec policy does not
reference any IPsec transform set.
With SAs to be established through
IKE negotiation, an IPsec policy
can reference up to six IPsec
transform sets. During negotiation,
IKE searches for a fully matched
IPsec transform set at the two ends
of the expected IPsec tunnel. If no
match is found, no SA can be set
up and the packets expecting to be
protected will be dropped.
6. Specify an IKE peer for the
IPsec policy.
ike-peer peer-name
An IPsec policy cannot reference
any IKE peer that is already
referenced by an IPsec profile, and
vice versa.
7. Enable and configure the
perfect forward secrecy
feature for the IPsec policy.
pfs { dh-group1 | dh-group2 |
dh-group5 | dh-group14 }
Optional.
By default, the PFS feature is not
used for negotiation.
If the local end is configured with
the PFS feature, the remote end that
initiates the negotiation must also
be configured with this feature,
and the DH group specified at the
both ends must be the same.
Otherwise, the negotiation fails.
For more information about PFS,
see "IKE security mechanism"
The dh-group1 keywo
rd is not
available for FIPS mode.
8. Set the SA lifetime.
sa duration { time-based seconds |
traffic-based kilobytes }
Optional.
By default, the global SA lifetime is
used.
If IKE is used for IPsec SA
establishment, the smaller SA
lifetime of the local end and remote
end is used.