< Home

Configuring an IPSec Policy in Manual Mode

Context

All security parameters of an IPSec policy configuring in manual mode need to be configured manually. The configuration workload is heavy, so the IPSec policy applies to a small-scale network environment.

When configuring an IPSec policy in manual mode, ensure that:
  • Inbound and outbound SAs' parameters, including the authentication/encryption key and security parameter index (SPI), are configured on IPSec peers.
  • The inbound SA's parameters on the local end is the same as the outbound SA's parameters on the remote end, and the outbound SA's parameters on the local end is the same as the inbound SA's parameters on the remote end.

After an IPSec policy group is applied to an interface, to add or delete an IPSec policy in the IPSec policy group or modify parameters of the IPSec policy, unbind the IPSec policy group from the interface and then apply the IPSec policy group to the interface again so that IPSec policies in the IPSec policy group take effect.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ipsec policy policy-name seq-number manual

    An IPSec policy is created in manual mode and the IPSec policy view is displayed.

    By default, no IPSec policy is created.

  3. Run security acl acl-number

    An ACL is referenced in the IPSec policy.

    By default, an IPSec policy does not reference an ACL.

    acl-number is an advanced ACL that has been created.

    An IPSec policy can reference only one ACL. Before referencing a new ACL, you must delete the original ACL that has been referenced.

  4. Run proposal proposal-name

    An IPSec proposal is referenced in the IPSec policy.

    By default, an IPSec policy does not reference an IPSec proposal.

    proposal-name is an IPSec proposal that has been created.

    One IPSec policy can reference only one IPSec proposal. Before referencing a new IPSec proposal, you must delete the original IPSec proposal that has been referenced.

  5. Configure the local and remote IP addresses of an IPSec tunnel.

    1. Run tunnel local ipv4-address

      A local IP address is configured.

    2. Run tunnel remote ip-address

      A remote IP address is configured.

    By default, the local and remote IP addresses of an IPSec tunnel are not configured.

    The remote IP address at the local end must be the same as the local IP address at the remote end.

  6. Configure the SPI for the inbound or outbound SA.

    1. Run sa spi outbound { ah | esp } spi-number

      An SPI is configured for the outbound SA.

    2. Run sa spi inbound { ah | esp } spi-number

      An SPI is configured for the inbound SA.

    The security protocol must be the same as that specified in the transform command in Configuring an IPSec Proposal. If the security protocol specified in the transform command is ah-esp, both ah and esp must be specified in the sa spi command.

    To retain a unique SA, SPIs for inbound and outbound SAs must be different.

  7. Configure authentication and encryption keys for the inbound or outbound SA.

    • The security protocol specified in authentication and encryption key configuration commands must be the same as that specified in the transform command in Configuring an IPSec Proposal. If the security protocol specified in the transform command is ah-esp, both ah and esp authentication and encryption keys must be specified.

    • The two ends of an IPSec tunnel must use the authentication keys in the same format. For example, if the key on one end is a character string but the key on the other end is a hexadecimal number, the IPSec tunnel cannot be established.

    • If the inbound authentication keys in a character string and hexadecimal notation are configured, the one configured later overwrites the original one.

    If AH is used, configure an authentication key.

    • Run sa string-key { inbound | outbound } ah string-key

      An authentication key in a character string is configured for AH.

    • Run sa authentication-hex { inbound | outbound } ah hex-string

      An authentication key in hexadecimal notation is configured for AH.

    If ESP is used, configure an authentication key.

    • Run sa string-key { inbound | outbound } esp string-key

      An authentication key in a character string is configured for ESP.

      When ESP is used and the authentication key in a character string is used, the device automatically generates the encryption key of ESP. You do not need to configure the encryption key of ESP.

    If ESP is used, configure authentication and encryption keys.

    1. (Optional) Run sa authentication-hex { inbound | outbound } esp hex-string

      An authentication key in hexadecimal notation is configured for ESP.

    2. (Optional) Run sa encryption-hex { inbound | outbound } esp hex-string

      An encryption key in hexadecimal notation is configured for ESP.

    You must run at least one of the preceding commands.

  8. (Optional) Run flow-vrf check disable

    The device is disabled from checking the VPN instance in data flows during IPSec encryption/decryption.

    By default, the device checks the VPN instance in data flows during IPSec encryption/decryption.

    When a branch connects to the headquarters and multiple VPNs are deployed in the headquarters, the branch accesses different VPNs based on services. The headquarters' IPSec tunnel can be bound to only one VPN instance, so VPNs import routes from each other for inter-VPN traffic forwarding. If a device detects VPN instance inconsistency when matching packets, it discards the packets. To prevent this problem, perform this step.

Parent Topic: Configuring an IPSec Policy
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >