Configuring an IPSec Policy
Context
An IPSec policy defines the IPSec proposals used to protect data flows of different types, and is the prerequisite for creating an SA. An IPSec policy binds an ACL to an IPSec proposal, and specifies the SA negotiation mode, source and destination of the IPSec tunnel, key, and SA lifetime.
An IPSec policy is identified by its name and sequence number, and multiple IPSec policies with the same IPSec policy name constitute an IPSec policy group. An IPSec policy can be established manually, in ISAKMP mode, or using an IPSec policy template. For IPSec policies that are established in ISAKMP mode and using an IPSec policy template, parameters are generated through IKE negotiation.
Select an IPSec policy establishment mode as needed:
When a GRE over IPSec tunnel is established using an ACL, an IPSec policy in ISAKMP mode can only be configured on gateways at both ends.
When an L2TP over IPSec tunnel is established using an ACL and the LAC is used as the initiator, an IPSec policy in ISAKMP mode can only be configured on the LAC. When the LNS functions as the responder, an IPSec policy in ISAKMP mode or using an IPSec policy template can be configured on the LNS. In the Hub-Spoke VPN, an IPSec policy using an IPSec policy template is recommended.