3Com 10014299 Network Router User Manual


 
Creating a Security Policy 573
By default, the end point of the security tunnel is not specified.
Set the IPSec proposal quoted in security policy
Perform the following configurations in IPSec policy view.
Table 648 Configure IPSec Proposal Quoted in Security Policy
By default, the security policy quotes no IPSec proposal.
When SA is created through IKE negotiation, a security policy can quote at most 6
IPSec proposals and IKE negotiation will search the completely matched IPSec
proposal at both ends of the security tunnel. If IKE cannot find completely
matched IPSec proposal, then it will not establish SA successfully, then the
messages that require protection will be discarded.
The security policy determines its protocol, algorithm and encapsulation mode by
quoting the IPSec proposal. A IPSec proposal must be established before it is
quoted
Set SA lifetime
There are two types of SA lifetime (or lifecycle): time-based and traffic-based. The
SA becomes invalid on the first expiration of either type of lifetime. Before the SA
becomes invalid, IKE establishes a new SA for IPSec negotiation, so a new SA is
ready when the previous one becomes invalid. If the global lifetime is modified
during the valid period of the current SA, the new one will be applied, not to the
present SA but to the later SA negotiation.
The SA lifetime is only effective for an SA established with IKE, and the SA
established manually does not involve the concept of lifetime.
If a security policy is not configured with lifetime value, when the router applies
for a new SA, it sends a request to the remote end to set up a security tunnel
negotiation and gets the SA lifetime of the remote end, and applies it as the new
SA lifetime. If the local end has configured the SA lifetime when creating security
policy, when it receives the application for security tunnel negotiation from the
remote end, it will compare the lifetime proposed by the remote end with its own
lifetime, and choose the smaller one as the SA lifetime.
SA is timeout based on the first expiration of the lifetime by seconds (specified by
the key word time-based) or kilobytes of communication traffic (specified by the
key word traffic-based).
The new SA should have completed the negotiation before the original SA times
out, so that the new SA can be put into use as soon as the original SA expires. Soft
timeout of SA occurs when a new SA is negotiated at the time when the existing
SA lives for a certain percentage of lifetime defined by seconds (such as 90%), or
when the traffic reaches a certain percentage (such as 90%) of the lifetime
Delete remote address of security tunnel
(applicable to IPSec software and crypto
card)
undo tunnel remote ip-address
Operation Command
Set IPSec proposal quoted in security
policy (applicable to IPSec software and
crypto card)
proposal proposal-name1
[proposal-name2...proposal-name6]
Cancel IPSec proposal quoted in security
policy (applicable to IPSec software and
crypto card)
undo proposal