570 CHAPTER 40: CONFIGURING IPSEC
By default, the start point and the end point of the security tunnel are not
specified.
Set IPSec proposal quoted in security policy
When SA is created manually, a security policy can quote only one IPSec proposal,
and to set new IPSec proposal, the previously configured one must be deleted first.
If the local IPSec proposal cannot match the peer one completely, then it will not
establish SA successfully, then the messages that require protection will be
discarded.
The security policy determines its protocol, algorithm and encapsulation mode by
quoting the IPSec proposal. A IPSec proposal must be established before it is
quoted.
Perform the following configurations in IPSec policy view.
Table 642 Configure IPSec Proposal Quoted in Security Policy
By default, the security policy quotes no IPSec proposal.
Set SPI of security policy association and its adopted key
In security policy association established manually, if AH protocol is included in the
quoted IPSec proposal, it is necessary to set manually the SPI of AH SA and the
quoted authentication key for the inbound/outbound communications. If the ESP
protocol is included in the quoted IPSec proposal, it is necessary to manually set
the SPI of ESP SA and the quoted authentication key and ciphering key for the
inbound/outbound communications.
At both ends of a security tunnel, the SPI and the key of the local inbound SA
must be the same as those of the peer outbound SA, and the SPI and the key of
the local outbound SA must be the same as those of the peer inbound SA.
Delete local address of security tunnel
(applicable to IPSec software and crypto
card)
undo tunnel local ip-address
Set remote address of security tunnel
(applicable to IPSec software and crypto
card)
tunnel remote ip-address
Delete remote address of security tunnel
(applicable to IPSec software and crypto
card)
undo tunnel remote ip-address
Operation Command
Set IPSec proposal quoted in security
policy (applicable to IPSec software and
crypto card)
proposal proposal-name
Cancel IPSec proposal quoted in security
policy (applicable to IPSec software and
crypto card)
undo proposal
Operation Command