R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101
170
security acl 3001
ike-peer bb
proposal 1
Configuration on Router B:
acl number 3001
rule 0 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.2.0 0.0.0.255
rule 1 deny ip
#
ipsec policy test 1 isakmp
security acl 3001
ike-peer aa
proposal 1
Mirror image ACLs
See "Mirror image ACLs."
Protection modes
See "Protection modes."
Configuring an IPsec proposal
An IPsec proposal, part of an IPsec policy or an IPsec profile, defines the security parameters for IPsec SA
negotiation, including the security protocol, the encryption and authentication algorithms, and the
encapsulation mode.
Configuration guidelines
• Changes to an IPsec proposal affect only SAs negotiated after the changes. To apply the changes
to existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up using
the updated parameters.
• Only when a security protocol is selected, can you configure security algorithms for it. For example,
you can specify the ESP-specific security algorithms only when you select ESP as the security
protocol. ESP supports three IP packet protection schemes: encryption only, authentication only, or
both encryption and authentication.
• You can configure up to 10000 IPsec proposals.
Configuration procedure
To configure an IPsec proposal:
Ste
p
Command
Remarks
1. Enter system view.
system-view
N/A
2. Create an IPsec proposal
and enter its view.
ipsec proposal proposal-name By default, no IPsec proposal exists.
3. Specify the security
protocol for the
proposal.
transform { ah | ah-esp | esp }
Optional.
ESP by default.