No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ipsec policy (interface view)

ipsec policy (interface view)


The ipsec policy policy-name command applies an IPSec policy group to an interface.

The undo ipsec policy command deletes the IPSec policy group from an interface so that it is no longer protected by IPSec.

By default, no IPSec policy is applied to an interface.


ipsec policy policy-name

undo ipsec policy






Specifies the name of the IPSec policy applied to an interface. Ensure that the specified IPSec policy has been created in the system view.

The value is an existing IPSec policy name.


interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can apply an IPSec policy group to a physical or logical interface to protect data flows. In addition to physical interfaces such as serial interfaces and Ethernet interfaces, you can apply an IPSec policy group to virtual interfaces such as virtual template interfaces. IPSec policy groups can be used according to actual networking requirements. For example, when an enterprise branch establishes an IPSec tunnel with its headquarters through PPPoE, apply the IPSec policy group to a virtual interface. If an IPSec policy group is deleted from an interface, the interface cannot provide IPSec functions.

After an IPSec policy group is applied to an interface, all IPSec policies in the group are applied to the interface to protect different data flows.

When sending a packet, an interface matches the packet with the IPSec policies in the IPSec policy group in ascending order of sequence numbers. If the packet matches the ACL referenced by an IPSec policy, the packet is processed according to the IPSec policy. If no matching ACL is found after all IPSec policies are checked, the interface sends the packet directly without IPSec protection.


When the number of IPSec tunnels is larger than 50% of the maximum limit, high CPU usage alarms may be generated in a short period of time after the undo ipsec policy command is run. After all the SAs are cleared, the CPU usage restores to the normal range.

Only one IPSec policy group can be applied to one interface. An IPSec policy group except the shared IPSec policy group can be applied to only one interface. To apply a new IPSec policy group to the interface, remove the previous one first.


# Apply the IPSec policy group policy1 to an interface.
<Huawei> system-view
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ipsec policy policy1
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 149307

Downloads: 168

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Previous Next