< Home

Configuring an IPSec Policy in ISAKMP Mode

Context

An IPSec policy configured in Internet Security Association and Key Management Protocol (ISAKMP) mode applies to a scenario where the remote IP address is fixed, and is often used in branch configuration.

Negotiated IPSec parameters of an IPSec policy are defined in the IPSec policy view, and the negotiation initiator and responder must use the same IPSec parameters. The end that has an ISAKMP IPSec policy configured can initiate IKE negotiation.

After an IPSec policy group to which an IPSec policy belongs is applied to an interface, the following situations occur:
  • To modify the IPSec proposal parameters, unbind the IPSec policy group from the interface and then apply the IPSec policy group to the interface again.
  • If other parameters are modified, these parameters will take effect during the next negotiation and are invalid for the tunnels that have been established through negotiation.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ipsec policy policy-name seq-number isakmp

    An IPSec policy is created in ISAKMP mode and the IPSec policy view is displayed.

    By default, no IPSec policy is created.

  3. Optional: Run smart-link profile profile-name

    An IPSec intelligent link selection profile is referenced in the IPSec policy.

    This command is required only in the IPSec intelligent link selection scenario.

    Skip 8 after the IPSec policy references the IPSec intelligent link selection profile. This is because local-address specified in the link command will be dynamically used as the local address for the IPSec policy after IPSec intelligent link selection takes effect.

  4. (Optional) Run alias alias

    The alias of the IPSec policy is specified.

    By default, the system uses the combination of the name and sequence number of an IPSec policy as the alias. If the default alias has been used by another IPSec policy, the system uses the combination of the name, sequence number, and current time of an IPSec policy as the alias.

  5. Run security acl { ipv6 acl-number | acl-number }

    An ACL is referenced in the IPSec policy.

    By default, an IPSec policy does not reference an ACL.

    acl-number is an advanced ACL that has been created.

    An IPSec policy can reference only one ACL. Before referencing a new ACL, you must delete the original ACL that has been referenced.

  6. Run proposal proposal-name

    An IPSec proposal is referenced in the IPSec policy.

    By default, an IPSec policy does not reference an IPSec proposal.

    proposal-number specifies a created IPSec proposal.

    An IPSec policy configured in ISAKMP mode can reference a maximum of 12 IPSec proposals. During IKE negotiation, the two ends of an IPSec tunnel first use the IPSec proposals with the same parameter settings. If IPSec proposals with the same parameter settings cannot be found, an SA cannot be set up.

    When referencing multiple IPSec proposals in an IPSec policy, ensure that the encapsulation modes of all IPSec proposals referenced by the IPSec policy at both ends are the same. That is, the encapsulation modes are all transport or tunnel modes.

    When multiple authentication or encryption algorithms are configured in one IPSec proposal, the device can no longer reference IPSec proposals if the total number of algorithms in referenced IPSec proposals exceeds 255. The number of algorithms in one IPSec proposal is calculated using the following formula: Number of algorithms in one IPSec proposal = Number of authentication algorithms used in the AH protocol x Number of authentication algorithms used in the ESP protocol x Number of encryption algorithms used in the ESP protocol. If no authentication or encryption algorithm is configured, the number is considered as 1.

  7. Run ike-peer peer-name

    An IKE peer is referenced in the IPSec policy.

    By default, an IPSec policy does not reference an IKE peer.

    peer-name specifies a created IKE peer. For the detailed configuration of an IKE peer, see Configuring an IKE Peer.

    IPSec policies with different sequence numbers in the same IPSec policy group cannot reference IKE peers with the same IP address.

  8. (Optional) Run tunnel local { ipv4-address | ipv6-address | applied-interface }

    A local IP address of an IPSec tunnel is configured.

    By default, the local IP address of an IPSec tunnel is not configured.

    For the IKE negotiation mode, you do not need to configure an IP address for the local end of an IPSec tunnel. During SA negotiation, the device will select a proper address based on route information. The local address needs to be configured in the following situations:
    • If the IP address of the interface to which an IPSec policy is applied varies or is unknown, run the tunnel local { ipv4-address | ipv6-address } command to specify the IP address of another interface (such as the loopback interface) on the device as the IP address for the local end of an IPSec tunnel. Otherwise, run the tunnel local applied-interface command to specify the IP address of the interface to which an IPSec policy is applied as the local address of an IPSec tunnel.
    • If the interface to which an IPSec policy is applied has multiple IP addresses (one primary IP address and several secondary IP addresses), run the tunnel local { ipv4-address | ipv6-address } command to specify one of these IP addresses as the IP address for the local end of an IPSec tunnel. Otherwise, run the tunnel local applied-interface command to specify the primary IP address of the interface as the local address of an IPSec tunnel.
    • If equal-cost routes exist between the local and remote ends, run the tunnel local command to specify a local IP address for an IPSec tunnel.

    • If an IPSec policy is created in IKE negotiation mode, the tunnel local on the local end must be the same as remote-address that the remote end references from the IKE peer.

    • You do not need to specify the tunnel local (local address) for the IKE peer referenced in an IPSec profile, because the local address is the source address of the GRE, mGRE or IPSec virtual tunnel interface. For the IKE peer referenced in an IPSec profile, tunnel local does not take effect.

    • When applying an IPSec policy to a tunnel interface and running the source command to specify an IP address for the interface, you must run the tunnel local command to configure a tunnel local address. Otherwise, IKE negotiation will fail.

    • If both tunnel local and remote-address are configured, IP addresses of the same version must be specified.

    • In an IPSec hot standby scenario, tunnel local must be set to a virtual IP address.

  9. (Optional) Run sa trigger-mode { auto | traffic-based }

    An IPSec tunnel trigger mode is configured.

    By default, the IPSec tunnel trigger mode is traffic-based.

  10. (Optional) Run pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group15 | dh-group16 | dh-group18 | dh-group19 | dh-group20 | dh-group21 | dh-group24 }

    The device is configured to use perfect forward secrecy (PFS) when the local end initiates negotiation.

    By default, PFS is not used when the local end initiates negotiation.

    When the local end initiates negotiation, there is an additional Diffie-Hellman (DH) exchange in IKEv1 phase 2 or IKEv2 CREATE_CHILD_SA exchange. The additional DH exchange ensures security of the IPSec SA key and improves communication security.

    If PFS is specified on the local end, you also need to specify PFS on the remote end. The DH group specified on the two ends must be the same; otherwise, negotiation fails. When an IPSec policy in ISAKMP mode is used on the local end while an IPSec policy configured using an IPSec policy template is used on the remote end, no DH group needs to be configured on the remote end. The DH group on the responder is used for negotiation.

  11. (Optional) Run respond-only enable

    The local end is configured not to initiate negotiation.

    By default, if the local end establishes an IPSec tunnel based on the IPSec policy configured in ISAKMP mode, the local end initiates an IPSec negotiation.

    If two IPSec peers establish an IPSec tunnel based on the IPSec policy configured in ISAKMP mode, both ends initiate negotiation. You can configure one end as the responder that does not initiate negotiation, which can help you check packet processing and locate IPSec faults.

  12. (Optional) Run policy enable

    The IPSec policy is enabled.

    By default, IPSec policies in an IPSec policy group are enabled.

  13. (Optional) Run flow-vrf check disable

    The device is disabled from checking the VPN instance in data flows during IPSec encryption/decryption.

    By default, the device checks the VPN instance in data flows during IPSec encryption/decryption.

    When a branch connects to the headquarters and multiple VPNs are deployed in the headquarters, the branch accesses different VPNs based on services. The headquarters' IPSec tunnel can be bound to only one VPN instance, so VPNs import routes from each other for inter-VPN traffic forwarding. If a device detects VPN instance inconsistency when matching packets, it discards the packets. To prevent this problem, perform this step.

Parent Topic: Configuring an IPSec Policy
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >