R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101
77
applied to an interface, for each packet arriving at the interface, the system checks the IPsec policies of
the IPsec policy group in the ascending order of sequence numbers. One IPsec tunnel will be established
for each data flow to be protected, and multiple IPsec tunnels may exist on an interface.
An IPsec profile is similar to an IPsec policy. The difference is that an IPsec profile is uniquely identified
by its name and it does not support ACL configuration. An IPsec profile defines the IPsec proposal to be
used for protecting data flows, and specifies the parameters for IKE negotiation. After an IPsec profile is
applied to an IPsec tunnel interface, only one IPsec tunnel is set up to protect all data flows that are routed
to the tunnel.
IPsec profiles can be applied to only IPsec tunnel interfaces. The IPsec tunnel established using an IPsec
profile protects all IP data routed to the tunnel interface.
Before configuring an IPsec profile, complete the following tasks:
• IPsec proposal configuration. For more information, see “Configuring an IPsec proposal.“
• IKE peer configuration. For more information, see the chapter “ IKE configuration.”
The parameters for the local and remote ends must match.
NOTE:
• During an IKE negotiation based on an IPsec profile, the source and destination addresses of the IPsec
tunnel interface are used as the local and remote addresses; the local-address and remote-address
commands configured for IKE negotiation do not take effect.
• If you do not configure the destination address of the IPsec tunnel interface, the local peer can only be
an IKE negotiation responder; it cannot initiate an IKE negotiation.
Follow these steps to configure an IPsec profile:
To do… Use the command…
Remarks
Enter system view system-view —
Create an IPsec profile and enter its
view
ipsec profile profile-name
Required
By default, no IPsec profile exists.
Specify the IPsec proposals for the
IPsec profile to reference
proposal proposal-name&<1-6>
Required
By default, an IPsec profile
references no IPsec proposals.
Specify the IKE peer for the IPsec
profile to reference
ike-peer peer-name
Required
An IPsec profile cannot reference
any IKE peer that is already
referenced by an IPsec policy,
and vice versa.
Enable and configure the PFS feature
for the IPsec profile
pfs { dh-group1 | dh-group2 |
dh-group5 | dh-group14 }
Optional
By default, the PFS feature is not
used.
For more information about PFS,
see the chapter “IKE
configuration.”
Set the SA lifetime
sa duration { time-based seconds
| traffic-based kilobytes }
Optional
By default, the SA lifetime of an
IPsec profile equals the current
global SA lifetime.