R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101
172
• The keys for the local and remote inbound and outbound SAs must be in the same format. For
example, if the local inbound SA uses a key in characters, the local outbound SA and remote
inbound and outbound SAs must use keys in characters.
Follow these guidelines when you configure an IPsec policy for an IPv6 routing protocol:
• You do not need to configure ACLs or IPsec tunnel addresses.
• Within a certain routed network scope, the IPsec proposals used by the IPsec policies on all routers
must have the same security protocols, security algorithms, and encapsulation mode. For OSPFv3,
the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be
directly connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected
neighbors or a neighbor group.
• All SAs (both inbound and outbound) within the routed network scope must use the same SPI and
keys.
• Configure the keys on all routers within the routed network scope in the same format. For example,
if you enter the keys in hexadecimal format on one router, do so across the routed network scope.
Configuration prerequisites
Configure ACLs used for identifying protected traffic and IPsec proposals. ACLs are not required for IPsec
policies for an IPv6 protocol.
Configuration procedure
To configure a manual IPsec policy:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Create a manual
IPsec policy and
enter its view.
ipsec policy policy-name
seq-number manual
By default, no IPsec policy exists.
3. Assign an ACL to
the IPsec policy.
security acl acl-number
Not needed for IPsec policies to be applied
to IPv6 routing protocols and required for
other applications.
By default, an IPsec policy references no
ACL.
The ACL supports match criteria of the VPN
instance attribute.
An IPsec policy can reference only one ACL.
If you apply multiple ACLs to an IPsec policy,
only the last one takes effect.
4. Assign an IPsec
proposal to the
IPsec policy.
proposal proposal-name
By default, an IPsec policy references no
IPsec proposal.
A manual IPsec policy can reference only
one IPsec proposal. To change an IPsec
proposal for an IPsec policy, you must
remove the proposal reference first.
5. Configure the local
address of the
tunnel.
tunnel local ip-address
Not needed for IPsec policies to be applied
to IPv6 routing protocols and required for
other applications.
Not configured by default.