ipsec policy (profile) (tunnel interface view)

Function

The ipsec policy command applies an IPSec profile on the tunnel interface.

The undo ipsec policy command restores the default setting.

By default, the IPSec profile is not applied on the tunnel interface.

This command is supported only on the NetEngine 8000 F1A.

Format

ipsec policy profile-name service-instance-group service-group-name

ipsec policy profile-name service-instance-group service-group-name [ share ]

undo ipsec policy

Parameters

Parameter	Description	Value
profile-name	Specifies the name of an IPSec profile applied on the interface.	It is a string of 1 to 15 case insensitive characters.
service-instance-group service-group-name	Specifies the name of an IPSec service group instance.	It is a string of 1 to 31 case insensitive characters, which cannot include the hyphen(-).
share	Apply the same IPSec profile to multiple tunnel interfaces and share one IPSec tunnel. This parameter can be used only when multiple mGRE tunnels on a DSVPN network have the same source.	-

Parameter

Description

Value

profile-name

Specifies the name of an IPSec profile applied on the interface.

It is a string of 1 to 15 case insensitive characters.

service-instance-group service-group-name

Specifies the name of an IPSec service group instance.

It is a string of 1 to 31 case insensitive characters, which cannot include the hyphen(-).

share

Apply the same IPSec profile to multiple tunnel interfaces and share one IPSec tunnel. This parameter can be used only when multiple mGRE tunnels on a DSVPN network have the same source.

Views

Tunnel interface view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
ike	write

Usage Guidelines

Usage Scenario

An IPSec profile is similar to an IPSec policy. However, different from an IPSec policy, an IPSec profile is identified by its name, and can only be configured in IKE negotiation mode. The IPSec profile does not support ACL configuration. The IPSec profile can be applied to only an IPSec tunnel interface. An IPSec profile defines IPSec proposals used to protect data flows, IKE negotiation parameters for SA setup, SA lifetime, and PFS status. After an IPSec profile is applied to an IPSec tunnel interface, only one IPSec tunnel is created. The IPSec tunnel protects all the data flows routed to the IPSec tunnel interface, simplifying IPSec policy management.

On a tunnel interface, only one IPSec profile can be applied. If you want to apply another security profile, you must cancel application of the current IPSec profile.

Generally, a security framework can be applied to only one interface.

In a DSVPN scenario where multiple mGRE tunnels have the same source, if the same IPSec profile needs to be applied to multiple tunnel interfaces to share one IPSec tunnel, the share parameter must be added when running this command. This parameter can be used only in this scenario. In addition, mGRE tunnels with the same source must be configured with different identification keys. Only NetEngine 8000 F1A supports DSVPN.

Prerequisites

Before running the ipsec policy profile-name service-instance-group service-group-name share command with the share parameter on a tunnel interface, run the tunnel-protocol gre p2mp and source [ source-ip-address | { interface-name | interface-type interface-number } ].

Example

# Apply an IPSec profile on Tunnel 10.

<HUAWEI> system-view
[~HUAWEI] ipsec policy profile1 profile
[*HUAWEI] interface Tunnel 10
[*HUAWEI-Tunnel10] tunnel-protocol ipsec
[*HUAWEI-Tunnel10] ipsec policy profile1 service-instance-group test1