ipsec policy (tunnel interface view)

Function

The ipsec policy command applies an IPSec policy group on the tunnel interface.

The undo ipsec policy command restores the default setting.

By default, the IPSec policy group is not applied on the tunnel interface.

This command is supported only on the NetEngine 8000 F1A.

Format

ipsec policy policy-name { service-instance-group service-group-name }

undo ipsec policy

Parameters

Parameter	Description	Value
policy-name	Specifies the name of an IPSec policy group applied on the interface.	It is a string of 1 to 15 case sensitive characters.
service-instance-group service-group-name	Specifies the name of an IPSec service group instance.	It is a string of 1 to 31 case insensitive characters, which cannot include the hyphen(-).

Parameter

Description

Value

policy-name

Specifies the name of an IPSec policy group applied on the interface.

It is a string of 1 to 15 case sensitive characters.

service-instance-group service-group-name

Specifies the name of an IPSec service group instance.

It is a string of 1 to 31 case insensitive characters, which cannot include the hyphen(-).

Views

Tunnel interface view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
ike	write

Usage Guidelines

Usage Scenario

Each tunnel interface can only apply a single IPsec policy group. If you want to apply another security group, you must cancel application of the current IPsec policy group. An IPsec policy group can only be applied on one interface.

After a security policy group is applied to a tunnel interface, no new policy can be added to the policy group and the original policy cannot be deleted. Before you change the IPsec policy, run the undo ipsec policy command to unbind the IPsec policy group from the tunnel interface view.

After you apply an IPsec policy group to a specified tunnel interface, the SA is not established immediately. The IKE negotiation is triggered to establish an SA only when the data flow that matches a certain IPsec policy is sent from the interface.

When sending packets from a tunnel interface, you must search for the security policy in the IPsec policy group one by one in ascending order by sequence number for packets. If an ACL used by security policy is matched, this ACL is used to process packets. If there is no matching ACL, the search for the next security policy continues. If none of the ACLs used by the security policy is matched, the packets are directly sent (that is, the packets are not protected by IPsec).

The undo ipsec policy command run in the interface view deletes all IKE and IPsec SAs.

An IPsec policy group can be applied to a GRE or IPsec tunnel.

Precautions

When slave-down is specified in the command, the tunnel interface is not allowed to borrow the IP address of another interface.

Example

# Apply an IPSec policy group on Tunnel 10.

<HUAWEI> system-view
[~HUAWEI] ipsec policy policy1 1 isakmp
[*HUAWEI-ipsec-policy-isakmp-policy1-1] quit
[*HUAWEI] interface Tunnel 10
[*HUAWEI-Tunnel10] tunnel-protocol ipsec
[*HUAWEI-Tunnel10] ipsec policy policy1 service-instance-group test1