(Optional) Configuring an IPSec Profile
Context
Data transmitted between the central office and a branch, and between branches can be encrypted to increase data security. Binding an IPSec profile to DSVPN can dynamically establish an mGRE over IPSec tunnel.
- Create an IKE peer. For details, see Configuring an IKE Peer.
- Create an IPSec proposal. For details, see Configuring an IPSec Proposal.
After completing the preceding configuration, perform the following operations on the Hub and Spokes.
Procedure
- Run system-view
The system view is displayed.
- Run ipsec profile profile-name
An IPSec profile is created and the IPSec profile view is displayed.
- Run ike-peer peer-name
An IKE peer is bound to the IPSec profile.
- Run proposal proposal-name
An IPSec proposal is bound to the IPSec profile.
- (Optional) Run pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group15 | dh-group16 | dh-group18 | dh-group19 | dh-group20 | dh-group21 | dh-group24 }
The perfect forward secrecy (PFS) feature is used in IPSec negotiation.
By default, PFS is not used in IPSec negotiation.
If PFS is specified on the local end, you also need to specify PFS on the remote peer. The Diffie-Hellman groups specified on the two ends must be the same. Otherwise, the negotiation fails.
In the DSVPN IPSec protection scenario, the IPSec profile must be applied to a tunnel interface, not to a physical interface.
- Run quit
Return to the system view.
- Run interface tunnel interface-number
The tunnel interface view is displayed.
- Run tunnel-protocol gre p2mp
The tunnel encapsulation mode is configured.
- Run ipsec profile profile-name
The tunnel interface is bound to an IPSec profile.