Manualshelf

R211x-HP Flexfabric 11900 Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products
141142143144145146147148149150
138
The IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires
when either lifetime expires.
Configuration procedure
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Create an IKE-based IPsec
policy entry and enter its view.
ipsec { ipv6-policy | policy }
policy-name seq-number isakmp
By default, no IPsec policy exists.
3. (Optional.) Configure a
description for the IPsec
policy.
description text
By default, no description is
configured.
4. Specify an ACL for the IPsec
policy.
security acl [ ipv6 ] { acl-number |
name acl-name } [ aggregation |
per-host ]
By default, no ACL is specified for
the IPsec policy.
An IPsec policy can reference only
one ACL.
5. Specify IPsec transform sets
for the IPsec policy.
transform-set
transform-set-name&<1-6>
By default, the IPsec policy
references no IPsec transform set.
6. Specify an IKE profile for the
IPsec policy.
ike-profile profile-name
By default, the IPsec policy
references no IKE profile, and the
device selects an IKE profile
configured in system view for
negotiation. If no IKE profile is
configured, the globally
configured IKE settings are used.
An IPsec policy can reference only
one IKE profile, and it cannot
reference any IKE profile that is
already referenced by another
IPsec policy.
For more information about IKE
profiles, see "Configuring IKE."
7. Specify the local IP address of
the IPsec tunnel.
local-address { ipv4-address | ipv6
ipv6-address }
By default, the local IPv4 address
of IPsec tunnel is the primary IPv4
address of the interface to which
the IPsec policy is applied, and the
local IPv6 address of the IPsec
tunnel is the first IPv6 address of the
interface to which the IPsec policy
is applied.
The local IP address specified by
this command must be the same as
the IP address used as the local IKE
identity.
8. Specify the remote IP address
of the IPsec tunnel.
remote-address { [ ipv6 ]
host-name | ipv4-address | ipv6
ipv6-address }
By default, the remote IP address of
the IPsec tunnel is not specified.
9. Set the IPsec SA lifetime.
sa duration { time-based seconds |
traffic-based kilobytes }
By default, the global SA lifetime is
used.