< Home

Configuring an IPSec Profile

Context

An IPSec profile defines how to protect data flows, including IPSec proposals, IKE negotiation parameters for SA setup, SA lifetime, and PFS status. An IPSec profile is similar to an IPSec Policy. Compared with the IPSec policy, the IPSec profile is identified by its name and can be configured only in IKE negotiation mode.

In an IPSec profile, you do not need to use ACL rules to define data flows. Instead, all the data flows routed to the IPSec tunnel interface are protected. After an IPSec profile is applied to an IPSec tunnel interface, only one IPSec tunnel is created. The IPSec tunnel protects all the data flows routed to the IPSec tunnel interface, simplifying IPSec policy management.

To ensure successful IKE negotiation, parameters in the IPSec profile on the local and remote ends must match.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ipsec profile profile-name

    An IPSec profile is created and the IPSec profile view is displayed.

    By default, no IPSec profile is created.

  3. Run proposal proposal-name

    An IPSec proposal is referenced in the IPSec profile.

    By default, no IPSec proposal is referenced in an IPSec profile.

    The IPSec proposal must have been created.

  4. Run ike-peer peer-name

    An IKE peer is referenced in the IPSec profile.

    By default, no IKE peer is referenced in an IPSec profile.

    The IKE peer must have been created.

    • You do not need to specify the tunnel local (local address) for the IKE peer referenced in an IPSec profile, because the local address is the source address of the GRE, mGRE or IPSec virtual tunnel interface. For the IKE peer referenced in an IPSec profile, tunnel local does not take effect.

    • When an IPSec profile is used, the destination address of the IPSec tunnel interface configured using the destination command is preferentially used as the remote address for IKE negotiation. When the remote-address and destination commands are configured at the same time, ensure that the configured IP addresses are the same; otherwise, IKE negotiation will fail. To implement IKE peer redundancy, do not configure the destination command on the IPSec tunnel interface. Instead, configure the remote-address command on the IKE peer referenced by the IPSec profile.

    • For the detailed configuration of an IKE peer, see Configuring an IKE Peer.

    • IPSec profiles do not support IPv6.

  5. (Optional) Run pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group15 | dh-group16 | dh-group18 | dh-group19 | dh-group20 | dh-group21 | dh-group24 }

    The device is configured to use perfect forward secrecy (PFS) when the local end initiates negotiation.

    By default, PFS is not used when the local end initiates negotiation.

    When the local end initiates negotiation, there is an additional Diffie-Hellman (DH) exchange in IKEv1 phase 2 or IKEv2 CREATE_CHILD_SA exchange. The additional DH exchange ensures security of the IPSec SA key and improves communication security.

    If PFS is specified on the local end, you also need to specify PFS on the remote end. The DH group specified on the two ends must be the same; otherwise, negotiation fails. When an IPSec policy in ISAKMP mode is used on the local end while an IPSec policy configured using an IPSec policy template is used on the remote end, no DH group needs to be configured on the remote end. The DH group on the responder is used for negotiation.

Parent Topic: Using a Virtual Tunnel Interface to Establish an IPSec Tunnel-CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >