258
Step Command
Remarks
5.
Specify the mode in
which the security
protocol encapsulates IP
packets.
encapsulation-mode
{
transport
|
tunnel
}
By default, the security protocol
encapsulates IP packets in tunnel
mode.
The transport mode applies only
when the source and destination IP
addresses of data flows match
those of the IPsec tunnel.
IPsec for IPv6 routing protocols
supports only the transport mode.
6.
(Optional.) Enable the
Perfect Forward Secrecy
(PFS) feature for the IPsec
policy.
•
In non-FIPS mode:
pfs
{
dh-group1
|
dh-group2
|
dh-group5
|
dh-group14
|
dh-group24
}
•
In FIPS mode:
pfs dh-group14
By default, the PFS feature is not
used for SA negotiation.
For more information about PFS,
see "
."
The security level of the
Diffie-Hellman (DH) group of the
initiator must be higher than or
equal to that of the responder.
The end without the PFS feature
performs SA negotiation according
to the PFS requirements of the peer
end.
Configuring a manual IPsec policy
In a manual IPsec policy, the parameters are configured manually, such as the keys, the SPIs, and the IP
addresses of the two ends in tunnel mode.
Configuration restrictions and guidelines
Make sure the IPsec configuration at the two ends of an IPsec tunnel meets the following requirements:
•
The IPsec policies at the two ends must have IPsec transform sets that use the same security protocols,
security algorithms, and encapsulation mode.
•
The remote IPv4 address configured on the local end must be the same as the primary IPv4 address
of the interface applied with the IPsec policy at the remote end. The remote IPv6 address configured
on the local end must be the same as the first IPv6 address of the interface applied with the IPsec
policy at the remote end.
•
At each end, configure parameters for both the inbound SA and the outbound SA, and make sure
the SAs in each direction are unique: For an outbound SA, make sure its triplet (remote IP address,
security protocol, and SPI) is unique. For an inbound SA, make sure its SPI is unique.
•
The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true
of the local outbound SA and remote inbound SA.
•
The keys for the local and remote inbound and outbound SAs must be in the same format. For
example, if the local inbound SA uses a key in characters, the local outbound SA and remote
inbound and outbound SAs must use keys in characters.
Configuration procedure
To configure a manual IPsec policy: