Command Reference Guide
3Com Router 3000 Ethernet Family
Command Reference Guide
Chapter 5 IPSec Configuration Commands
3Com Corporation
5-17
Use the undo ipsec policy policy-name seq-number command to delete an IPSec
policy whose name is policy-name and sequence number is seq-number.
By default, no ipsec policy exists.
To establish an ipsec policy, it is necessary to specify the negotiation mode (manual or
isakmp). To modify the ipsec policy, it is not necessary to specify a negotiation mode.
Once the ipsec policy is established, its negotiation mode cannot be modified. For
example: if an ipsec policy is established in manual mode, it cannot be changed to
isakmp mode--this ipsec policy must be deleted and then recreated, if appropriate, with
the negotiation mode being isakmp.
Ipsec policies with the same name constitute an ipsec policy group. The name and
sequence number are used together to define a unique ipsec policy. In an ipsec policy
group, at most 100 ipsec policies can be set. In an ipsec policy, the smaller the
sequence number of an ipsec policy is, the higher is its preference. Apply an ipsec
policy group at an interface means applying all ipsec policies in the group
simultaneously, so that different data streams can be protected by adopting different
SAs.
Use the ipsec policy policy-name seq-number isakmp template template-name
command to establish an ipsec policy according the template through IKE negotiation.
Before using this command, the template should have been created. During the
negotiation and policy matching, the parameters defined in the template should be
compliant, the other parameters are decided by the initiator. The proposal must be
defined in policy template, other parameters are optional.
Caution:
z IKE will not use a policy with a template argument to initiate a negotiation. Rather, it
uses such a policy to response the negotiation initiated by its peer.
z The number of an IPSec policy configured by referencing an IPSec policy template
must be greater than that of an IPSec policy not configured in that way. Otherwise,
the responding party can find a match and the negotiation fails.
Related command: ipsec policy (interface view), security acl, tunnel local, tunnel
remote, sa duration, proposal, display ipsec policy, ipsec policy-template,
ike-peer.
Example
# Set an ipsec policy whose name is newpolicy1, sequence number is 100, and
negotiation mode is isakmp.
[3Com] ipsec policy newpolicy1 100 isakmp