(Optional) Configuring an IPsec Profile

Configure an IPsec profile to encrypt transmitted data to improve network security.

Context

Data transmitted between the HQ and branches, and between branches can be encrypted to increase data security. Bind an IPsec profile to DSVPN so that an mGRE tunnel and an IPsec tunnel are dynamically established between branches.

Procedure

  1. For details, see Configuring an IKE Proposal.
  2. For details, see Configuring an IKE Peer.

    You do not need to run the remote-id remote-id command to set a peer ID or the remote-address [ authentication-address | vpn-instance vpn-instance-name ] remote-low-address [ remote-high-address ] command to set a peer IP address for DSVPN.

  3. For details, see Configuring an IPsec Proposal.
  4. (Optional) Configure an IKE filter set.
    1. Run system-view

      The system view is displayed.

    2. Run ike identity name

      The local filter set is configured for IKE negotiation and the IKE filter set view is displayed.

    3. Run ip address ip-address { mask | mask-length }

      The IP address of the IKE peer that is allowed to access the local device is configured.

    4. Run fqdn fqdn

      The domain name of the IKE peer that is allowed to access the device is configured.

    5. Run user-fqdn user-fqdn

      The host domain name is configured for the IKE peer that is allowed to access the device.

    6. Run dn dn

      The identifiable name of a digital certificate is configured for the IKE peer that is allowed to access the device.

    7. Run quit

      Exit the IKE filter set view.

    8. Run commit

      The configuration is committed.

  5. Configure an IPsec profile.
    1. Run system-view

      The system view is displayed.

    2. Run ipsec policy policy-name profile

      The IPsec profile view is displayed.

    3. Run proposal proposal-name

      An IPsec proposal is applied in the IPsec profile.

    4. Run ike-peer peer-name

      An IKE peer is applied in the IPsec profile.

    5. (Optional) Run pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group19 | dh-group20 | dh-group21 }

      The PFS feature is configured for negotiation.

      If the local end uses PFS, the peer must perform PFS exchange when initiating a negotiation. The DH groups specified on the local and peer ends must be consistent. Otherwise, the negotiation fails.

    6. (Optional) Run remote ike-identity name

      The filter set is configured, which allows matching IKE peers to access the local device.

      When the IPsec profile applies the previously defined IKE filter set (IKE identity), the negotiation is performed based on the IKE filter set. If the IKE filter set is not applied, the negotiation is not performed.

    7. Run quit

      Exit the IPsec profile view.

    8. Run commit

      The configuration is committed.

  6. Apply the IPsec profile.

    For details, see Applying an IPsec Policy.

Parent Topic: Configuring DSVPN
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >