Configuring an IPSec Policy Using an IPSec Policy Template

Procedure

1. Run system-view

   The system view is displayed.

2. Run ipsec policy-template template-name seq-number

   An IPSec policy template is created and the IPSec policy template view is displayed.

   By default, no IPSec policy template is created.

3. (Optional) Run alias alias

   The alias name of the IPSec policy template is specified.

   By default, the system uses the combination of the name and sequence number of an IPSec policy template as the alias. If the default alias has been used by another IPSec policy template, the system uses the combination of the current time as well as the name and sequence number of an IPSec policy template as the alias.

4. (Optional) Run security acl { ipv6 acl-number | acl-number }

   An ACL is referenced in the IPSec policy.

   By default, an IPSec policy does not reference an ACL.

   acl-number is an advanced ACL that has been created.

   One IPSec policy template can reference only one ACL. Before referencing a new ACL, you must delete the ACL that has been referenced.

   If data flows to be protected are not specified, the responder accepts the range of data flows to be protected on the initiator. If data flows to be protected are specified, the ACL on the responder must mirror the ACL on the initiator or the range specified by the ACL on the responder must cover the range specified by the ACL on the initiator.

5. (Optional) Run security acl-rule modification response disable

   The device is disabled from immediately triggering IPSec tunnel re-negotiation after an ACL rule is modified.

   By default, the device immediately triggers IPSec tunnel re-negotiation after an ACL rule is modified.

   After an ACL rule is modified, by default, the device immediately triggers IPSec tunnel re-negotiation, which results in a short interruption of IPSec traffic. To prevent this problem, perform this step so that the device re-negotiates the IPSec tunnel after the IPSec SA aging time expires.

6. Run proposal proposal-name

   An IPSec proposal is referenced in the IPSec policy template.

   By default, an IPSec policy template does not reference an IPSec proposal.

   proposal-name is an IPSec proposal that has been created.

   An IPSec policy template can reference a maximum of 12 IPSec proposals. During IKE negotiation, the two ends of an IPSec tunnel first use the IPSec proposals with the same parameter settings. If IPSec proposals with the same parameter settings cannot be found, an SA cannot be set up.

   

   When referencing multiple IPSec proposals in an IPSec policy template, ensure that the encapsulation mode of IPSec proposals referenced by the IPSec policy template at one end are the same as the encapsulation mode of IPSec proposals referenced by the IPSec policy at the other end. That is, the encapsulation mode at both ends must be transport or tunnel.

   When multiple authentication or encryption algorithms are configured in one IPSec proposal, the device can no longer reference IPSec proposals if the total number of algorithms in referenced IPSec proposals exceeds 255. The number of algorithms in one IPSec proposal is calculated using the following formula: Number of algorithms in one IPSec proposal = Number of authentication algorithms used in the AH protocol x Number of authentication algorithms used in the ESP protocol x Number of encryption algorithms used in the ESP protocol. If no authentication or encryption algorithm is configured, the number is considered as 1.

7. Run ike-peer peer-name

   An IKE peer is referenced in the IPSec policy template.

   By default, an IPSec policy template does not reference an IKE peer.

   peer-name is an IKE peer that has been created.

8. (Optional) Run tunnel local { ipv4-address | ipv6-address }

   A local IP address of an IPSec tunnel is configured.

   By default, the local IP address of an IPSec tunnel is not configured.

   

   • If an IPSec policy is created in IKE negotiation mode, the tunnel local on the local end must be the same as remote-address that the remote end references from the IKE peer.

   • You do not need to specify the tunnel local (local address) for the IKE peer referenced in an IPSec profile, because the local address is the source address of the GRE, mGRE or IPSec virtual tunnel interface. For the IKE peer referenced in an IPSec profile, tunnel local does not take effect.

   • When applying an IPSec policy to a tunnel interface and running the source command to specify an IP address for the interface, you must run the tunnel local command to configure a tunnel local address. Otherwise, IKE negotiation will fail.

   • If both tunnel local and remote-address are configured, IP addresses of the same version must be specified.

   • In an IPSec hot standby scenario, tunnel local must be set to a virtual IP address.

9. (Optional) Run pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group15 | dh-group16 | dh-group18 | dh-group19 | dh-group20 | dh-group21 | dh-group24 }

   The device is configured to use perfect forward secrecy (PFS) when the local end initiates negotiation.

   By default, PFS is not used when the local end initiates negotiation.

   When the local end initiates negotiation, there is an additional Diffie-Hellman (DH) exchange in IKEv1 phase 2 or IKEv2 CREATE_CHILD_SA exchange. The additional DH exchange ensures security of the IPSec SA key and improves communication security.

   If PFS is specified on the local end, you also need to specify PFS on the remote end. The DH group specified on the two ends must be the same; otherwise, negotiation fails. When an IPSec policy in ISAKMP mode is used on the local end while an IPSec policy configured using an IPSec policy template is used on the remote end, no DH group needs to be configured on the remote end. The DH group on the responder is used for negotiation.

10. (Optional) Run policy enable

    The IPSec policy is enabled.

    By default, IPSec policies in an IPSec policy group are enabled.

11. (Optional) Run flow-vrf check disable

    The device is disabled from checking the VPN instance in data flows during IPSec encryption/decryption.

    By default, the device checks the VPN instance in data flows during IPSec encryption/decryption.

    When a branch connects to the headquarters and multiple VPNs are deployed in the headquarters, the branch accesses different VPNs based on services. The headquarters' IPSec tunnel can be bound to only one VPN instance, so VPNs import routes from each other for inter-VPN traffic forwarding. If a device detects VPN instance inconsistency when matching packets, it discards the packets. To prevent this problem, perform this step.

12. Run quit

    Return to the system view.

13. Run ipsec policy policy-name seq-number isakmp template template-name

    An IPSec policy template is referenced in the IPSec policy.

    The referenced IPSec policy template name template-name must be different from the IPSec policy name policy-name.

    Only one IPSec policy in an IPSec policy group can reference the policy template, and number of this policy must be larger than that of other policies. If the IPSec policy created using the policy template does not have the lowest priority, other IPSec policies in the same IPSec policy group do not take effect.