No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an IPsec Policy

Configuring an IPsec Policy

IPSec policies include common policies and policy templates. You can either adopt IPSec policies at both ends of an IPSec tunnel or adopt the IPSec policy at one end and IPSec policy template at the other end.

Prerequisites

Context

You can configure the IPSec policy or IPsec policy template according to actual network environments. IPSec policy templates are mainly applied to the scenarios where the peer-end IP address is unfixed. Table 12-2 describes the relevant precautions.
Table 12-2

Item

IPsec Policy Template

IPsec Policy

Configuration rules

  • Only one end of an IPsec tunnel can use the IPsec policy in template mode. The other end of the tunnel must use the IPsec policy in IKE mode.

  • Only one policy in an IPsec policy group can use the IPsec policy template, and the IPsec policy number must be larger than that of other IPsec policies. Otherwise, other IPsec policies may become invalid.

  • The ACL, IPsec proposal, and IKE peers must be configured in the IPsec policy template. Other parameters are optional.

    In an IKE negotiation, parameters defined in the IPsec policy template must match those defined by the peer end. Parameters that are not defined in the IPsec policy template are determined by the initiating party, and the response party can accept the suggestions of the initiating party.

  • One policy template can use multiple IPsec proposals to match different IPsec proposals sent by different peer ends that initiate connection requests.

  • One policy template can use only one ACL. If a new ACL needs to be quoted, the original ACL must be canceled.

Principles for configuring IPsec policies in IKE mode are as follows:

  • The ACL, IPsec proposal, and IKE peers must be configured in the IPsec policy in IKE mode. Other parameters are optional.

  • One IPsec policy can use multiple IPsec proposals to match different IPsec proposals sent by different peer ends that initiate connection requests.

  • One IPsec policy can use only one ACL. If a new ACL needs to be used, the original ACL must be canceled.

Precautions

One tunnel interface can use only one security policy group. Before configuring another security policy group for the interface, you must cancel the original security policy group. One security policy group can be applied only to one interface.

When a security policy group is applied to a tunnel interface, new policies cannot be added to this security policy group, and original policies cannot be deleted from this security policy group. If you need to change the IPsec policies, you can run the undo ipsec policy command in the tunnel interface view to unbind the IPsec policy group and then modify the policies.

After a security policy group is applied to an interface, the SA is not immediately established. The IKE negotiation is triggered to establish an SA only when the data flow that complies with an IPsec policy is transmitted over this interface.

When the interface sends a packet, the interface matches the packet against policies in the security policy group based on the sequence number in an ascending order. If the packet matches an ACL rule defined in a policy, the packet is processed based on the policy. If the packet does not match any ACL defined in the policy, the interface continues to match the packet against the next policy. If the packet does not match any ACL defined in all policies, the packet is directly sent (no protection measure is taken).

You can run the undo ipsec policy command in the interface view to delete all IKE and IPsec SAs.

Procedure

  1. Run system-view

    The system view is displayed.

  2. You can enter the IPSec policy view or IPSec policy template view according to actual network environments.

    Table 12-3 Security policy configuration

    Step/Item

    IPsec Policy Mode

    IPsec Policy Template Mode

    1. Enter the IPsec policy view or IPsec policy template view.

    ipsec policy policy-name sequence-number

    ipsec policy-template template-name sequence-number

    (Optional) Configure the local IP address.

    local-address ip-address

    local-address localaddr [ binding interface interface-type interface-num vlan [ start-vlan-id1 end-vlan-id1 [ start-vlan-id2 end-vlan-id2 [ start-vlan-id3 end-vlan-id3 ] ] ] ]

    To save IP address resources, IPSec supports IP unnumbered. Therefore, the IP address of the local peer can be the same as that of another interface.

    If the IP address of the local peer is the same as that of another interface on the device and the IPSec policy is configured on a tunnel interface, the device automatically generates the binding tunnel ipsec command configuration on the interface. This indicates that the interface has the IPSec policy bound, and therefore cannot be used for other services.

    3. Configure the ACL in a policy.

    security acl { acl-number | name acl-name }

    4. Define a proposal.

    proposal proposal-name &<1-6>

    When you set up an SA by IKE negotiation, an IPSec policy or an IPSec policy template can use up to six IPSec proposals. IKE negotiation searches for completely matched IPSec proposals at the two ends of the security tunnel. If no completely matched IPSec proposal is found, the SA cannot be set up and the packets that need protection are discarded.

    5. Define an IKE peer.

    ike-peer peer-name

    6. (Optional) Configure the PFS feature used for negotiation.

    pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 }

    If the local end uses PFS, the peer must perform PFS exchange when initiating a negotiation. The DH groups specified on the local end and the peer must be consistent. Otherwise, the negotiation fails.

    7. Define a policy template.

    -

    ipsec policy policy-name seq-number isakmp [ template template-name ]

    The IPSec policy is bound to the IPSec policy template. After that, you can implement the IPSec policy template function by applying the IPSec policy to an interface.

    NOTE:

    In an IPSec policy group, only one IPSec policy can reference the IPSec policy template.

    The name of the policy template cannot be identical with that of the IPSec policy.

  3. Run commit

    The configuration is committed.

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 22029

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next