HP 6125XLG R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 215
Configuring a manual IPsec policy, Configuration restrictions and guidelines, Configuration procedure
View all HP 6125XLG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 215 highlights
Configuring a manual IPsec policy In a manual IPsec policy, the parameters are configured manually, such as the keys, the SPIs, and the IP addresses of the two ends in tunnel mode. Configuration restrictions and guidelines Make sure the IPsec configurations at the two ends of an IPsec tunnel meet the following requirements: • The IPsec policies at the two ends must have IPsec transform sets that use the same security protocols, security algorithms, and encapsulation mode. • The remote IPv4 address configured on the local end must be the same as the primary IPv4 address of the interface applied with the IPsec policy at the remote end. The remote IPv6 address configured on the local end must be the same as the first IPv6 address of the interface applied with the IPsec policy at the remote end. • At each end, configure parameters for both the inbound SA and the outbound SA, and make sure the SAs in each direction are unique: For an outbound SA, make sure its triplet (remote IP address, security protocol, and SPI) is unique. For an inbound SA, make sure its SPI is unique. • The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the local outbound SA and remote inbound SA. • The keys for the local and remote inbound and outbound SAs must be in the same format. For example, if the local inbound SA uses a key in characters, the local outbound SA and remote inbound and outbound SAs must use keys in characters. Configuration procedure To configure a manual IPsec policy: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a manual IPsec policy entry and enter its ipsec { ipv6-policy | policy } view. policy-name seq-number manual 3. (Optional.) Configure a description for the IPsec policy. description text By default, no IPsec policy exists. By default, no description is configured. 4. Specify an ACL for the IPsec policy. security acl [ ipv6 ] { acl-number | name acl-name } By default, an IPsec policy references no ACL. An IPsec policy can reference only one ACL. 5. Specify an IPsec transform set for the IPsec transform-set transform-set-name policy. By default, an IPsec policy references no IPsec transform set. A manual IPsec policy can reference only one IPsec transform set. 206