570 CHAPTER 40: CONFIGURING IPSEC

Operation

Command

 

 

Delete local address of security tunnel

undo tunnel local ip-address

(applicable to IPSec software and crypto

 

card)

 

 

 

Set remote address of security tunnel

tunnel remote ip-address

(applicable to IPSec software and crypto

 

card)

 

 

 

Delete remote address of security tunnel

undo tunnel remote ip-address

(applicable to IPSec software and crypto

 

card)

 

 

 

By default, the start point and the end point of the security tunnel are not specified.

Set IPSec proposal quoted in security policy

When SA is created manually, a security policy can quote only one IPSec proposal, and to set new IPSec proposal, the previously configured one must be deleted first. If the local IPSec proposal cannot match the peer one completely, then it will not establish SA successfully, then the messages that require protection will be discarded.

The security policy determines its protocol, algorithm and encapsulation mode by quoting the IPSec proposal. A IPSec proposal must be established before it is quoted.

Perform the following configurations in IPSec policy view.

Table 642 Configure IPSec Proposal Quoted in Security Policy

Operation

Command

 

 

Set IPSec proposal quoted in security

proposal proposal-name

policy (applicable to IPSec software and

 

crypto card)

 

 

 

Cancel IPSec proposal quoted in security

undo proposal

policy (applicable to IPSec software and

 

crypto card)

 

 

 

By default, the security policy quotes no IPSec proposal.

Set SPI of security policy association and its adopted key

In security policy association established manually, if AH protocol is included in the quoted IPSec proposal, it is necessary to set manually the SPI of AH SA and the quoted authentication key for the inbound/outbound communications. If the ESP protocol is included in the quoted IPSec proposal, it is necessary to manually set the SPI of ESP SA and the quoted authentication key and ciphering key for the inbound/outbound communications.

At both ends of a security tunnel, the SPI and the key of the local inbound SA must be the same as those of the peer outbound SA, and the SPI and the key of the local outbound SA must be the same as those of the peer inbound SA.

Page 574
Image 574
3Com 10014299 manual Set IPSec proposal quoted in security policy, By default, the security policy quotes no IPSec proposal