The ipsec policy command binds an IPSec policy group of the current system to an interface of the current system.
The ipsec policy public command binds an IPSec policy group of the virtual system to an interface of the virtual system.
The undo ipsec policy command unbinds an IPSec policy group from an interface.
By default, no IPSec policy group is bound to an interface. In IPSec hot standby scenarios, hot standby is enabled by default for interfaces that IPSec policies apply to.
ipsec policy policy-name [ alone | master | slave ]
ipsec policy policy-name public [ alone | master | slave ]
undo ipsec policy
| Parameter | Description | Value |
|---|---|---|
policy-name |
Specifies the name of an IPSec policy group bound to an interface. |
The value must be the name of an existing IPSec policy group on the device. |
public |
Indicates the IPSec policy group of the root system. NOTE:
This parameter is used when the IPSec policy group of the root system is applied to the interface of the virtual system. |
- |
alone |
Indicates that the tunnel is not backed up when the status of the IPSec policy group is alone. |
- |
master |
Indicates that the status of the IPSec policy group is master. |
- |
slave |
Indicates that the status of the IPSec policy group is slave. |
- |
VLANIF interface view, Ethernet interface view, Ethernet sub-interface view, tunnel interface view, Dialer interface view , Eth-Trunk interface view, Eth-Trunk sub-interface view, Layer-2 Ethernet interface view ([undo] ipsec policy), Layer-2 Ethernet sub-interface view ([undo] ipsec policy ), Virtual-if interface view
Usage Scenario
You can bind an IPSec policy group to a physical or logical interface to protect data flows. In addition to physical interfaces such as serial interfaces and Ethernet interfaces, you can bind an IPSec policy group to virtual interfaces such as Tunnel interfaces. IPSec policy groups can be used according to actual networking requirements. If an IPSec policy group is unbound from an interface, the interface cannot provide IPSec functions.
After an IPSec policy group is bound to an interface, all IPSec policies in the group are bound to the interface to protect different data flows.
When sending a packet, an interface matches the packet with IPSec policies in an IPSec policy group in ascending order of sequence number. If the packet matches the ACL referenced by an IPSec policy, the packet is processed based on the IPSec policy. If the packet does not match an IPSec policy, it searches for the next policy. If no matching ACL is found after all IPSec policies are checked, the interface sends the packet directly without IPSec protection.
In a scenario where IPSec hot standby in load balancing mode is used, an administrator must specify the IPSec policy group status as master, slave, or alone to control tunnel negotiation and status backup. In the DSVPN over IPSec hot standby scenario, an administrator must specify the IPSec policy group status as alone. In other scenarios, the IPSec policy group status does not need to be configured.
Prerequisites
Precautions
Only one IPSec policy group can be bound to an interface, and an IPSec policy group can be bound to only one interface. To bind a new IPSec policy group to an interface, remove the previous one first.
When an IPSec policy group contains both an IPSec policy configured using an IPSec policy template and an IPSec policy in ISAKMP mode, to match the IPSec policy in ISAKMP mode, ensure that the sequence number of the IPSec policy in ISAKMP mode is smaller than that of the IPSec policy configured using an IPSec policy template.
In an IPSec policy group, if multiple policies are bound to different IKE peers, the remote addresses specified in the IKE peers cannot be the same. Otherwise, IKE negotiation of some IPSec policies fails.
When IPSec intelligent traffic steering is applied to an interface that has another IPSec policy applied, and the peer IP address used in IPSec intelligent traffic steering is the same as the peer IP address of the IPSec policy, IKE negotiation fails.
If multiple IPSec policies are bound to the same IKE peer in an IPSec policy group, the same tunnel local address must be configured for these IPSec policies. Otherwise, IKE negotiation of some IPSec policies fails.
<sysname> system-view [sysname] ipsec policy policy1 1 isakmp [sysname-ipsec-policy-isakmp-policy1-1] quit [sysname] interface GigabitEthernet 0/0/2 [sysname-GigabitEthernet0/0/2] ipsec policy policy1
<sysname> system-view [sysname] ipsec policy policy2 1 isakmp [sysname-ipsec-policy-isakmp-policy2-1] quit [sysname] vsys name huawei [sysname-vsys-huawei] assign interface GigabitEthernet 0/0/2 [sysname-vsys-huawei] quit [sysname] interface GigabitEthernet 0/0/2 [sysname-GigabitEthernet0/0/2] ipsec policy policy2 public