R2511-HP MSR Router Series Security Configuration Guide(V5)
168
Ste
p
Command
Remar
k
8. Enable the IPsec policy.
policy enable
Optional.
Enabled by default.
9. Return to system view.
quit N/A
10. Configure the global SA
lifetime.
ipsec sa global-duration
{ time-based seconds |
traffic-based kilobytes }
Optional.
By default, time-based SA
lifetime is 3600 seconds and
traffic-based SA lifetime is
1843200 kilobytes.
11. Create an IPsec policy by
referencing an IPsec policy
template.
ipsec policy policy-name
seq-number isakmp template
template-name
By default, no IPsec policy exists.
Applying an IPsec policy group to an interface
An IPsec policy group is a collection of IPsec policies with the same name but different sequence numbers.
In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.
You can apply an IPsec policy group to a logical or physical interface to protect certain data flows. To
cancel the IPsec protection, remove the application of the IPsec policy group.
For each packet to be sent out an IPsec protected interface, the system looks through the IPsec policies in
the IPsec policy group in ascending order of sequence numbers. If an IPsec policy matches the packet,
the system uses the IPsec policy to protect the packet. If no match is found, the system sends the packet out
without IPsec protection.
In addition to physical interfaces like serial and Ethernet ports, you can apply an IPsec policy to virtual
interfaces, such as tunnel and virtual template interfaces, to tunnel applications such as GRE and L2TP.
An interface can reference only one IPsec policy group. An IPsec policy that uses IKE can be applied to
more than one interface, but a manual IPsec policy can be applied to only one interface.
To apply an IPsec policy group to an interface:
Ste
p
Command
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Apply an IPsec policy group to the interface.
ipsec policy policy-name
Binding an IPsec policy, IPsec policy group, or IPsec profile to
an encryption card
The following matrix shows the feature and router compatibility: