ipsec policy (system view)

Function

The ipsec policy command creates an IPSec policy and displays the IPSec policy view.

The undo ipsec policy command deletes an IPSec policy.

By default, no IPSec policy is configured.

Format

ipsec policy policy-name seq-number [ manual | isakmp [ template template-name ] ]

undo ipsec policy policy-name [ seq-number ]

Parameters

Parameter	Description	Value
policy-name	Specifies the name of an IPSec policy.	The value is a string of 1 to 15 case-sensitive characters without question marks (?) and spaces.
seq-number	Specifies the sequence number of an IPSec policy.	The value is an integer that ranges from 1 to 10000. A smaller value indicates a higher IPSec policy priority.
manual	Indicates that an IPSec SA is created manually.	-
isakmp	Indicates that an IPSec policy is established in IKE negotiation mode.	-
template template-name	Indicates that an IPSec policy is established by referencing an IPSec policy template.	The value must be an existing IPSec policy template name.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An IPSec policy is uniquely defined by its name and sequence number. IPSec policies with the same name belong to one IPSec policy group.

Manual mode

IPSec parameters including the authentication/encryption key and SPI on IPSec peers must mirror each other. That is, IPSec parameters of the inbound SA at the local end must be the same as those of the outbound SA at the remote end, and IPSec parameters of the outbound SA at the local end must be the same as those of the inbound SA at the remote end.
IKE negotiation mode

IPSec parameters are automatically negotiated through IKE. This mode is classified into ISAKMP and IPSec policy template:
- ISAKMP
  
  Negotiated IPSec parameters are defined in the IPSec policy view, and the initiator and responder must use the same IPSec parameters.
  
  Devices use the ISAKMP policy can be an initiator or a responder.
- IPSec policy template
  
  An IPSec policy template defines negotiated parameters. The initiator determines optional parameters, and the responder accepts the parameters delivered by the initiator.
  
  An IPSec policy template can reduce the workload of establishing multiple IPSec tunnels. The IPSec policy template is applicable to specific scenarios, for example, scenario where the remote IP address is variable or unknown (for example, the remote end obtains an IP address using PPPoE) and the remote device is allowed to initiate negotiation to the local end.
  
  ACLs in this mode are optional. If no ACL is configured, the responder uses the ACL configured on the initiator to protect data flows.

Follow-up Procedure

Define negotiated IPSec parameters in the IPSec policy view and run the ipsec policy (interface view) command to bind the IPSec policy to an interface.

Precautions

The end where an IPSec policy template is configured can only function as the responder to receive negotiation requests.
One IPSec policy group can have only one IPSec policy template.
When creating an IPSec policy, you must specify the SA creation mode. If you have entered the IPSec policy view, you do not need to enter the SA creation mode.
Before modifying the negotiation mode of a created IPSec policy, delete the IPSec policy and create an IPSec policy again.

Example

# Set an IPSec policy using the ISAKMP negotiation mode. The IPSec policy name is policy1 and the sequence number is 1.

<sysname> system-view
[sysname] ipsec policy policy1 1 isakmp
[sysname-ipsec-policy-isakmp-policy1-1]

# Set an IPSec policy using the manual negotiation mode. The IPSec policy name is policy2 and the sequence number is 1.

<sysname> system-view
[sysname] ipsec policy policy2 1 manual
[sysname-ipsec-policy-manual-policy2-1]