R2511-HP MSR Router Series Security Configuration Guide(V5)
167
{ Required configuration: The IPsec transform sets and IKE peer.
{ Optional configuration: The ACL, PFS feature, and SA lifetime. Unlike the direct configuration,
ACL configuration to be referenced by an IPsec policy is optional. The responder without ACL
configuration accepts the initiator's ACL configuration.
To configure an IPsec policy that uses IKE by referencing an IPsec policy template:
Ste
p
Command
Remar
k
1. Enter system view.
system-view N/A
2. Create an IPsec policy
template and enter its view.
ipsec policy-template
template-name seq-number
By default, no IPsec policy
template exists.
3. Specify the ACL for the IPsec
policy to reference.
security acl acl-number
Optional.
By default, an IPsec policy
references no ACL.
4. Specify the IPsec transform
sets for the IPsec policy to
reference.
transform-set
transform-set-name&<1-6>
By default, an IPsec policy
references no IPsec transform set.
With SAs to be established
through IKE negotiation, an IPsec
policy can reference up to six
IPsec transform sets. During
negotiation, IKE searches for a
fully matched IPsec transform set
at the two ends of the expected
IPsec tunnel. If no match is found,
no SA can be set up and the
packets expecting to be
protected will be dropped.
5. Specify the IKE peer for the
IPsec policy to reference.
ike-peer peer-name [ primary ] N/A
6. Enable and configure the
perfect forward secrecy
feature for the IPsec policy.
pfs { dh-group1 | dh-group2 |
dh-group5 | dh-group14 }
Optional.
By default, the PFS feature is not
used for negotiation.
If the local end uses PFS, the
remote end must also use PFS for
negotiation and both ends must
use the same DH group.
Otherwise, the negotiation will
fail.
For more information about PFS,
see "Configuring IKE."
The dh-group1 keyword is not
available for FIPS mode.
7. Configure the SA lifetime.
sa duration { time-based seconds
| traffic-based kilobytes }
Optional.
By default, the global SA lifetime
settings are used.
When negotiating to set up SAs,
IKE uses the local lifetime settings
or those proposed by the peer,
whichever are smaller.