ipsec policy
Function
The ipsec policy command creates or modifies an IPSec policy and displays the IPSec policy view.
The undo ipsec policy command deletes an IPSec policy.
By default, the IPSec policy is not created.
This command is supported only on the NetEngine 8000 F1A.
Parameters
| Parameter | Description | Value |
|---|---|---|
| policy-name |
Indicates the name of the IPSec policy. |
It is a string of 1 to 15 case sensitive characters. |
| policy-seqnum |
Indicates the sequence number of the IPsec policy. |
It is an integer that ranges from 1 to 10000. The smaller the value is, the higher the priority is. |
| isakmp |
Sets up SA through the IKE negotiation. |
- |
| template tempname |
Indicates the name of the policy template. |
It is a string of 1 to 15 case sensitive characters. |
| profile |
Specifies to use the IPsec framework to create IPsec policies. |
- |
Usage Guidelines
To create an IPsec policy, it is necessary to specify the negotiation mode. Once the IPsec policy is established, its negotiation mode cannot be modified. If you need to change the negotiation mode, you must delete the IPsec policy first, and then specify a different negotiation mode for it when recreating the IPsec policy.
Security policies with the same name form a security policy group. A name and sequence number can determine a unique security policy. The smaller seq-number is, the higher the priority is. Applying a security policy group on an interface is actually equal to applying all security policies in security group. Therefore, different SAs can be adopted to protect different data flows. The ipsec policy policy-name seq-number isakmp template template-name command establishes an IPsec policy according to the template through IKE negotiation. Before using this command, the template-name should have been created through ipsec policy-template command. During the negotiation and policy matching, the parameters defined in the template should be compliant and the other parameters are decided by the initiator. The parameters acl, proposal and IKE-peer are mandatory in the policy template configuration, whereas other parameters are optional. Only one IPsec policy in an IPsec policy group can quote the IPsec policy template. Configuring the IPsec policy with the lowest priority to quote the IPsec policy template is recommended.