3com 3031 Instruccion De Instalación
IPSec Configuration
845
Perform the following in the System View.
Using IPSec policy-template command, you will enter the IPSec policy template
view, in which you can specify the policy template related parameters.
view, in which you can specify the policy template related parameters.
The parameters configurable in an IPSec policy template are the same as those of
IPSec policy, but most are optional. Only IPSec proposal is mandatory. However, it
should be noted that the proposal parameters are mandatory while other
parameters are optional. In IKE negotiation, if IPSec policy template is used for
policy matching, the configured parameters must be matched and the parameters
not configured use those of the initiation side.
IPSec policy, but most are optional. Only IPSec proposal is mandatory. However, it
should be noted that the proposal parameters are mandatory while other
parameters are optional. In IKE negotiation, if IPSec policy template is used for
policy matching, the configured parameters must be matched and the parameters
not configured use those of the initiation side.
After the configuration of policy template, the following command must be
executed to apply the policy template just defined.
executed to apply the policy template just defined.
The policy of IPSec policy template cannot initiate the negotiation of security
association, but is can response a negotiation.
association, but is can response a negotiation.
Applying IPSec Policy
Group to Interface
In order to validate a defined SA, you must apply an IPSec policy group at the
interface (logical or physical) where the outgoing data or incoming data needs
encryption or decryption. Data encryption on the interface will be made based on
the IPSec policy group and in conjunction with the peer router. Deleting the IPSec
policy group from the interface will disable the protection function of IPSec on the
interface.
interface (logical or physical) where the outgoing data or incoming data needs
encryption or decryption. Data encryption on the interface will be made based on
the IPSec policy group and in conjunction with the peer router. Deleting the IPSec
policy group from the interface will disable the protection function of IPSec on the
interface.
Perform the following in the Interface View.
An interface can only use one IPSec policy group. Only ISAKMP IPSec policy group
can be used on more than one interface. A manually configured IPSec policy group
can only be used on one interface.
can be used on more than one interface. A manually configured IPSec policy group
can only be used on one interface.
When packet transmitted from an interface, each IPSec policy in the IPSec policy
group will be searched according to sequence numbers in ascending order. If an
access control list quoted by the IPSec policy permits a packet, the packet will be
processed by this IPSec policy. If the packet is not permitted, keep on searching the
next IPSec policy. If the packet is not permitted by any access control list quoted by
the IPSec policy, it will be directly transmitted (IPSec does not protect the packet).
group will be searched according to sequence numbers in ascending order. If an
access control list quoted by the IPSec policy permits a packet, the packet will be
processed by this IPSec policy. If the packet is not permitted, keep on searching the
next IPSec policy. If the packet is not permitted by any access control list quoted by
the IPSec policy, it will be directly transmitted (IPSec does not protect the packet).
Table 919 Configuring IPSec policy template
Operation
Command
Create/Modify IPSec policy
template
template
ipsec policy-template policy-template-name
seq-number
Delete an IPSec policy
template
template
undo ipsec policy-template
policy-template-name [ seq-number ]
Table 920 Quoting IPSec policy template
Operation
Command
Quote an IPSec policy template
ipsec policy policy-name seq-number
template template-name
Table 921 Using IPSec policy group
Operation
Command
Use the IPSec policy group
ipsec policy policy-name
Remove the IPSec policy group in use
undo ipsec policy