R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

NOTE:

• An IPsec policy can reference only one ACL. If you apply multiple ACLs to an IPsec policy, only the las

one takes effect.

• A manual IPsec policy can reference only one IPsec proposal. To change an IPsec proposal for an IPsec

policy, you must remove the proposal reference first.

• If you configure a key in two modes: string and hexadecimal, only the last configured one will be used.

• You cannot change the creation mode of an IPsec policy from manual to through IKE, or vise versa. To

create an IPsec policy that uses IKE, delete the manual IPsec policy, and then use IKE to configure an

IPsec policy.

2. Configuring an IPsec policy that uses IKE

To configure an IPsec policy that uses IKE, use one of the following methods:

• Directly configure it by configuring the parameters in IPsec policy view.

• Configure it by referencing an existing IPsec policy template with the parameters to be negotiated

configured. A device referencing an IPsec policy that is configured in this way cannot initiate SA

negotiation but can respond to a negotiation request. The parameters not defined in the template

will be determined by the initiator. This approach applies to scenarios where the remote end's

information, such as the IP address, is unknown.

a. Configuration prerequisites

Configure the ACLs and the IKE peer for the IPsec policy. For more information about IKE configuration,

see the chapter “IKE configuration.”

The parameters for the local and remote ends must match.

b. Configuration procedure

• Directly configure an IPsec policy that uses IKE

Follow these steps to directly configure an IPsec policy that uses IKE:

To do… Use the command…

Remarks

Enter system view system-view —

Create an IPsec policy that uses IKE

and enter its view

ipsec policy policy-name

seq-number isakmp

Required

By default, no IPsec policy exists.

Assign an ACL to the IPsec policy

security acl acl-number

[ aggregation ]

Required

By default, an IPsec policy

references no ACL.

Assign IPsec proposals to the IPsec

policy

proposal proposal-name&<1-6>

Required

By default, an IPsec policy

references no IPsec proposal.

Specify an IKE peer for the IPsec

policy

ike-peer peer-name

Required

An IPsec policy cannot reference

any IKE peer that is already

referenced by an IPsec profile,

and vice versa.