F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Command Reference-6PW100
85
Usage guidelines
Only one IPsec policy group can be applied to an interface. To apply another IPsec policy group to the
interface, remove the original application first. An IPsec policy group can be applied to more than one
interface.
With an IPsec policy group applied to an interface, the system uses each IPsec policy in the group to
protect certain data flows.
For each packet to be sent out an IPsec protected interface, the system checks the IPsec policies of the
IPsec policy group in the ascending order of sequence numbers. If it finds an IPsec policy whose ACL
matches the packet, it uses the IPsec policy to protect the packet. If it finds no ACL of the IPsec policies
matches the packet, it does not provide IPsec protection for the packet and sends the packet out directly.
Examples
# Apply IPsec policy group pg1 to interface GigabitEthernet 0/2.
<Sysname> system-view
[Sysname] interface gigabitethernet 0/2
[Sysname-GigabitEthernet0/2] ipsec policy pg1
Related commands
ipsec policy (system view)
ipsec policy (system view)
Use ipsec policy to create an IPsec policy and enter its view.
Use undo ipsec policy to delete the specified IPsec policies.
Syntax
ipsec policy policy-name seq-number [ isakmp | manual ]
undo ipsec policy policy-name [ seq-number ]
Default
No IPsec policy exists.
Views
System view
Default command level
2: System level
Parameters
policy-name: Name for the IPsec policy, a case-insensitive string of 1 to 15 characters. No hyphen (-) can
be included.
seq-number: Sequence number for the IPsec policy, in the range 1 to 65535.
isakmp: Sets up SAs through IKE negotiation.
manual: Sets up SAs manually.
Usage guidelines
When creating an IPsec policy, you must specify the generation mode.