261
•
The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is optional
on the responder. The remote IP address specified on the local end must be the same as the local
IP address specified on the remote end.
For an IPsec SA established through IKE negotiation:
•
The IPsec SA uses the local lifetime settings or those proposed by the peer, whichever are smaller.
•
The IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires
when either lifetime expires.
Directly configuring an IKE-based IPsec policy
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Create an IKE-based IPsec
policy entry and enter its view.
ipsec
{
ipv6-policy
|
policy
}
policy-name
seq-number
isakmp
By default, no IPsec policy exists.
3.
(Optional.) Configure a
description for the IPsec
policy.
description
text
By default, no description is
configured.
4.
Specify an ACL for the IPsec
policy.
security acl
[
ipv6
] {
acl-number
|
name
acl-name }
[
aggregation
|
per-host
]
By default, no ACL is specified for
the IPsec policy.
An IPsec policy can reference only
one ACL.
5.
Specify IPsec transform sets
for the IPsec policy.
transform-set
transform-set-name
&<1-6>
By default, the IPsec policy
references no IPsec transform set.
6.
Specify an IKE profile for the
IPsec policy.
ike-profile
profile-name
By default, the IPsec policy
references no IKE profile, and the
device selects an IKE profile
configured in system view for
negotiation. If no IKE profile is
configured, the globally
configured IKE settings are used.
An IPsec policy can reference only
one IKE profile, and it cannot
reference any IKE profile that is
already referenced by another
IPsec policy or IPsec policy
template.
For more information about IKE
profiles, see "
."