R2511-HP MSR Router Series Security Command Reference(V5)
210
Views
System view
Default command level
2: System level
Parameters
policy-name: Specifies the name for the IPsec policy, a case-insensitive string of 1 to 15 characters. No
minus sign (-) can be included.
seq-number: Specifies the sequence number for the IPsec policy, in the range of 1 to 65535.
gdoi: Sets up SAs through GDOI negotiation.
isakmp: Sets up SAs through IKE negotiation.
manual: Sets up SAs manually.
Usage guidelines
When creating an IPsec policy, you must specify the generation mode.
You cannot change the generation mode of an existing IPsec policy; you can only delete the policy and
then re-create it with the new mode.
IPsec policies with the same name constitute an IPsec policy group. An IPsec policy is identified uniquely
by its name and sequence number. In an IPsec policy group, an IPsec policy with a smaller sequence
number has a higher priority.
The undo ipsec policy command without the seq-number argument deletes an IPsec policy group.
To construct a group domain VPN, you must create a GDOI IPsec policy on a GM. For more information,
see Security Configuration Guide.
Examples
# Create an IPsec policy with the name policy1 and sequence number 101, and specify the manual
mode for it.
<Sysname> system-view
[Sysname] ipsec policy policy1 101 manual
[Sysname-ipsec-policy-manual-policy1-101]
Related commands
• ipsec policy (interface view)
• display ipsec policy
ipsec policy isakmp template
Use ipsec policy isakmp template to create an IPsec policy by referencing an existing IPsec policy
template, so that IKE can use the IPsec policy for SA negotiation.
Use undo ipsec policy with the seq-number argument to delete an IPsec policy.
Use undo ipsec policy without the seq-number argument to delete an IPsec policy group.
Syntax
ipsec policy policy-name seq-number isakmp template template-name
undo ipsec policy policy-name [ seq-number ]