Manualshelf

R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
261262263264265266267268269270
256
Ste
p
Command
Remar
k
9. Enable the IPsec policy.
policy enable
Optional.
Enabled by default.
10. Return to system view.
quit N/A
11. Set the global SA lifetime.
ipsec sa global-duration
{ time-based seconds |
traffic-based kilobytes }
Optional.
3600 seconds for time-based SA
lifetime by default.
1843200 kilobytes for
traffic-based SA lifetime by default.
2. Configure an IPsec policy that uses IKE by referencing an IPsec policy template.
The parameters configurable for an IPsec policy template are the same as those you configure
when directly configuring an IPsec policy that uses IKE. The difference is that more parameters are
optional.
{ Required configuration: The IPsec transform sets and IKE peer.
{ Optional configuration: The ACL, PFS feature, and SA lifetime. Unlike the direct configuration,
ACL configuration to be referenced by an IPsec policy is optional. The responder without ACL
configuration accepts the initiator's ACL configuration.
To configure an IPsec policy that uses IKE by referencing an IPsec policy template:
Ste
p
Command
Remar
k
1. Enter system view.
system-view N/A
2. Create an IPsec policy
template and enter its view.
ipsec policy-template
template-name seq-number
By default, no IPsec policy template
exists.
3. Specify the ACL for the IPsec
policy to reference.
security acl [ ipv6 ] acl-number
Optional.
By default, an IPsec policy does not
reference any ACL
In IKE negotiation mode, ACL only
supports fuzzy match.
4. Specify the IPsec transform
sets for the IPsec policy to
reference.
transform-set
transform-set-name&<1-6>
By default, an IPsec policy does not
reference any IPsec transform set.
With SAs to be established through
IKE negotiation, an IPsec policy
can reference up to six IPsec
transform sets. During negotiation,
IKE searches for a fully matched
IPsec transform set at the two ends
of the expected IPsec tunnel. If no
match is found, no SA can be set
up and the packets expecting to be
protected will be dropped.
5. Specify the IKE peer for the
IPsec policy to reference.
ike-peer peer-name
An IPsec policy cannot reference
any IKE peer that is already
referenced by an IPsec profile, and
vice versa.