HP 6125XLG R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 217
Configuration restrictions and guidelines, Directly configuring an IKE-based IPsec policy
View all HP 6125XLG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 217 highlights
• Configure it by referencing an existing IPsec policy template with the parameters to be negotiated configured. A device referencing an IPsec policy that is configured in this way cannot initiate an SA negotiation, but it can respond to a negotiation request. The parameters not defined in the template are determined by the initiator. When the remote end's information (such as the IP address) is unknown, this method allows the remote end to initiate negotiations with the local end. Configuration restrictions and guidelines To guarantee successful SA negotiations, make sure the IPsec configurations at the two ends of an IPsec tunnel meet the following requirements: • The IPsec policies at the two tunnel ends must have IPsec transform sets that use the same security protocols, security algorithms, and encapsulation mode. • The IPsec policies at the two tunnel ends must have the same IKE profile parameters. • An IKE-based IPsec policy can reference up to six IPsec transform sets. During an IKE negotiation, IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no match is found, no SA can be set up, and the packets expecting to be protected will be dropped. • The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is optional on the responder. The remote IP address specified on the local end must be the same as the local IP address specified on the remote end. For an IPsec SA established through IKE negotiation: • The IPsec SA uses the local lifetime settings or those proposed by the peer, whichever are smaller. • The IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires when either lifetime expires. Directly configuring an IKE-based IPsec policy Step 1. Enter system view. Command system-view Remarks N/A 2. Create an IKE-based IPsec ipsec { ipv6-policy | policy } policy entry and enter its view. policy-name seq-number isakmp By default, no IPsec policy exists. 3. (Optional.) Configure a description for the IPsec policy. 4. Specify an ACL for the IPsec policy. 5. Specify IPsec transform sets for the IPsec policy. description text By default, no description is configured. security acl [ ipv6 ] { acl-number | name acl-name } [ aggregation | per-host ] By default, no ACL is specified for the IPsec policy. An IPsec policy can reference only one ACL. transform-set transform-set-name& By default, the IPsec policy references no IPsec transform set. 208