No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Applying an IPsec Policy

Applying an IPsec Policy

This section describes how to apply an IPSec policy to the tunnel interface to implement security protection on different data flows.

Context

If the IPSec policy is applied to an interface through the IKE negotiation, an SA is not established immediately. IKE is triggered to negotiate an IPSec SA only when the data flow that matches a certain IPSec policy is sent from the interface.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run service-location service-location-id

    A VSM HA backup group is created, and the VSM HA backup group view is displayed.

  3. Run location { follow-forwarding-mode | slot slot-id }

    Binding the CPU of the service board.

  4. Run commit

    The configuration is committed.

  5. Run quit

    Return to the system view.

  6. Run service-instance-group service-instance-group-name

    A VSM HA service instance group is created, and the service instance group view is displayed.

  7. Run service-location service-location-id

    The service instance group is bound to an HA backup group.

  8. Run commit

    The configuration is committed.

  9. Run quit

    Return to the system view.

  10. Run interface tunnel tunnel-number

    A tunnel interface is created and the tunnel interface view is displayed.

  11. Run tunnel-protocol ipsec

    The encapsulation mode of the tunnel interface is configured to be IPSec.

  12. Run either of the following commands:
    • To configure an IP address for the tunnel interface, run the ip address ip-address mask command.

    • To configure the tunnel interface to borrow another interface's IP address, run the ip address unnumbered interface interface-type interface-number command.

    NOTE:

    If an available IP address exists on a device, run the ip address ip-address mask command to configure an IP address for the tunnel interface. The ip address unnumbered interface interface-type interface-number command is run only when no available IP address exists on a device.

    The ip address unnumbered interface interface-type interface-number command may bring the following risks:
    • If the IP address of another physical or logical interface is borrowed and the IP address of the interface changes, IPSec negotiation fails.
    • If the IP address of a physical interface is borrowed and the physical interface alternates between Up and Down, IPSec negotiation may fail.

  13. Run ipsec policy policy-name service-instance-group service-group-name

    The IPSec policy is applied on the interface.

  14. (Optional) Run ipsec generate-service-route

    The function of automatic IPsec service route generation is enabled.

    Automatic IPsec service route generation is mainly applied to the following two scenarios:

    • When a security policy is used to establish IPsec tunnels, you may not know the IPsec service route information of the remote end (such as the IP address and interface of the remote end). Therefore, static routes cannot be configured manually. In this case, run the ipsec generate-service-route command to enable the function of automatic IPsec service route generation.

    • When IPsec tunnels are established using a security policy, IPsec service routes will be generated during the IPsec negotiation. If you want to generate an IPsec service route by configuring static routes, you can run the undo ipsec generate-service-route command to disable the function of automatic IPsec service route generation first.

  15. Run commit

    The configuration is committed.

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 21468

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next