R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101
69
To do… Use the command…
Remarks
Specify the authentication
algorithm for ESP
esp
authentication-algorithm
{ md5 | sha1 }
Optional
MD5 by default
Specify the authentication
algorithm for AH
ah
authentication-algorithm
{ md5 | sha1 }
Optional
MD5 by default
Specify the IP packet encapsulation mode for the IPsec
proposal
encapsulation-mode
{ transport | tunnel }
Optional
Tunnel mode by default
Transport mode applies
only when the source
and destination IP
addresses of data flows
match those of the IPsec
tunnel.
NOTE:
• Changes to an IPsec proposal affect only SAs negotiated after the changes. To apply the changes to
existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up usin
g
the
updated parameters.
• Only when a security protocol is selected, can you configure security algorithms for it. For example, you
can specify the ESP-specific security algorithms only when you select ESP as the security protocol. ESP
supports three IP packet protection schemes: encryption only, authentication only, or both encryption
and authentication.
• You can configure up to 10000 IPsec proposals.
Configuring an IPsec policy
IPsec policies define which IPsec proposals should be used to protect which data flows. An IPsec policy
is uniquely identified by its name and sequence number.
IPsec policies fall into two categories:
• Manual IPsec policy—The parameters are configured manually, such as the keys, the SPIs, and the
IP addresses of the two ends in tunnel mode.
• IPsec policy that uses IKE—The parameters are automatically negotiated through IKE.
1. Configuring a manual IPsec policy
a. Configuration guidelines
To ensure successful SA negotiations, follow these guidelines when configuring manual IPsec policies at
the two ends of an IPsec tunnel:
• The IPsec policies at the two ends must have IPsec proposals that use the same security protocols,
security algorithms, and encapsulation mode.
• The remote IP address configured on the local end must be the same as the IP address of the remote
end.
• At each end, configure parameters for both the inbound SA and the outbound SA and ensure that
different SAs use different SPIs.
• The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true
of the local outbound SA and remote inbound SA.