572 CHAPTER 40: CONFIGURING IPSEC
The keys are input in two modes and those input in string mode are preferred. At
both ends of the security tunnel, the keys should be input in the same mode. If the
key is input at one end in string mode, but at the other end in hexadecimal mode,
the security tunnel cannot be created correctly. To set a new key, the previous key
must be deleted first.
Creating a Security
Policy Association with
IKE
Perform the following configurations in system view.
Table 645 Establish Security Policy Association with IKE Negotiation View
By default, no security policy is created.
Set access control list quoted by security policy
After a security policy is created, it is also necessary to specify the quoted
encryption access control list item for it so as to judge which inbound/outbound
communications should be encrypted and which should not.
Perform the following configurations in IPSec policy view.
Table 646 Configure Encryption Access Control List Quoted in Security Policy
By default, no encryption access control list is quoted in the security policy.
Set end point of security tunnel
For the security policy created with IKE negotiation view, it is unnecessary to set a
local address, because IKE can obtain the local address from the interface on
which this security policy is applied.
Only specify one remote address for security policy can be established by IKE. If a
remote address is specified, the previous address must be deleted before
specifying the new remote address.
Perform the following configurations in IPSec policy view.
Table 647 Specify End Point of Security Tunnel
Operation Command
Create a security policy association with
IKE to enter IPSec policy view (applicable
to IPSec software and crypto card).
ipsec policy policy-name
sequence-number isakmp
Modify the security policy established by
IKE (applicable to the main software IPSec
and crypto cards)
ipsec policy policy-name
sequence-number
Delete the created security policy
(applicable to IPSec software and crypto
card)
undo ipsec policy policy-name [
sequence-number ]
Operation Command
Configure encryption access control list
quoted in security policy (applicable to
IPSec software and crypto card)
security acl access-list-number
Cancel encryption access control list
quoted in security policy (applicable to
IPSec software and crypto card)
undo security acl access-list-number
Operation Command
Set remote address of security tunnel
(applicable to IPSec software and crypto
card)
tunnel remote ip-address