3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide
380 CHAPTER 22: IPSEC CONFIGURATION COMMANDS
isakmp: Sets up SA through IKE negotiation.
template: Dynamically sets up SA by using policy template. The policy-name
discussed here will reference template-name which is a created policy template
thus named.
template-name: Name of the template.
Description
Use the ipsec policy command to establish or modify an IPsec policy, and enter
IPsec policy view.
Use the undo ipsec policy policy-name command to delete an IPsec policy group
whose name is policy-name.
Use the undo ipsec policy policy-name seq-number command to delete an IPsec
policy whose name is policy-name and sequence number is seq-number.
By default, no IPsec policy exists.
To establish an IPsec policy, it is necessary to specify the negotiation mode
(manual or isakmp). To modify the IPsec policy, it is not necessary to specify a
negotiation mode.
Once the IPsec policy is established, its negotiation mode cannot be modified. For
example: if an IPsec policy is established in manual mode, it cannot be changed to
isakmp mode--this IPsec policy must be deleted and then recreated, if
appropriate, with the negotiation mode being isakmp.
Ipsec policies with the same name constitute an IPsec policy group. The name and
sequence number are used together to define a unique IPsec policy. In an IPsec
policy group, at most 500 IPsec policies can be set. In an IPsec policy, the smaller
the sequence number of an IPsec policy is, the higher is its preference. Apply an
IPsec policy group at an interface means applying all IPsec policies in the group
simultaneously, so that different data streams can be protected by adopting
different SAs.
Use the ipsec policy policy-name seq-number isakmp template template-name
command to establish an IPsec policy according the template through IKE
negotiation. Before using this command, the template should have been created.
During the negotiation and policy matching, the parameters defined in the
template should be compliant, the other parameters are decided by the initiator.
The proposal must be defined in policy template, other parameters are optional.
Note that IKE will not use a policy with a template argument to initiate a
negotiation. Rather, it uses such a policy to response the negotiation initiated by
its peer.
Related command: ipsec policy (interface view), security acl, tunnel local,
tunnel remote, sa duration, proposal, display ipsec policy, ipsec
policy-template, ike-peer.