3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

151

152

153

154

155

156

157

158

159

160

156 CHAPTER 10: IPSEC CONFIGURATION

On both ends of security Tunnel, configured Security Association parameters must

be consistent. Security association SPI and shared secret input on local end must

be the same as peer output Security Association SPI and shared secret. Security

association SPI and shared secret output on local end must the same as those

input on peer end.

For the character string key and hex string key, the last configured one will be

adopted. On both ends of security Tunnel, shared secret should be input in the

same form. If shared secret is input in character string on one end and in hex on

the other end, the security Tunnel cannot be correctly established.

Creating IPsec Policies by using IKE

Following are the configuration tasks for creating an IPsec policy by using IKE.

■ Create IPsec policies by using IKE

■ Reference an IPsec proposal in the IPsec policy

■ Configure ACL referenced by the IPsec policy

■ Referencing an IKE peer in the IPsec policy

■ Configure the lifetime of an SA (optional)

■ Configure the PFS feature in negotiation (optional)

■ Configure IPsec DPD (optional)

1 Creating an IPsec policy by using IKE

Perform the following configurations in system view.

If you want to create a dynamic IPsec policy by making use of an IPsec policy

template, you must first define the policy template. For more information about

defining a policy template, see "Section

“Configuring IPsec Policy Template”

“Configuring IPsec Policy Template”.

2 Referencing an IPsec proposal in the IPsec policy

Delete configured security association

parameter

undo sa string-key { inbound | outbound }

{ ah | esp }

undo sa authentication-hex { inbound |

outbound } { ah | esp }

undo encryption-hex { inbound |

outbound } esp

Table 137 Configure key used by security association

Operation Command

Tabl e 138 Create an IPsec policy

Operation Command

Create an IPsec policy by using IKE and

access the IPsec policy view

ipsec policy policy-name seq-number isakmp

Dynamically create an IPsec policy by

using IKE and an IPsec policy template

ipsec policy policy-name seq-number isakmp [

template template-name ]

Modify an IPsec policy that has been

established by using IKE negotiation

ipsec policy policy-name seq-number isakmp

Delete the specified IPsec policy undo ipsec policy policy-name [ seq-number ]