Configuring Automatic IPsec SA Negotiation (IKE)

Configuration Workflow

This section describes the process of creating an IPsec SA through IKE negotiation and the command calling relationship.

Defining Data Flows to Be Protected

IPsec can protect various data flows. In practice, you need to define data flows through an advanced ACL and apply the ACL in a security policy. Therefore, data flows are protected.

Configuring an IKE Proposal

An IKE proposal defines a set of attribute data to describe how IKE negotiation implements security communications. Configuring an IKE proposal involves creating an IKE proposal, selecting an encryption algorithm, authentication mode, authentication algorithm, and Diffie-Hellman identifier, and setting the lifetime of the SA.

Configuring an IKE Peer

Through IKE peers, a series of attribute data can be defined to describe parameters required by IKE negotiation, including quoting IKE proposals, and configuring the negotiation mode, NAT traversal, and IKE version.

(Optional) Configuring IKE Peer Detection

The IKE peer detection function detects invalid IKE peers to avoid black holes due to unreachable SA peers that discard data flows.

Configuring an IPsec Proposal

An IPsec proposal is a combination of security protocols, algorithms, and packet encapsulation modes to implement IPsec protection. An IPsec policy determines the security protocols, algorithms, and packet encapsulation modes using the IPsec proposal.

Configuring an IPsec Policy

IPsec policies include common policies and policy templates. You can either use IPsec policies at both ends of an IPsec tunnel or use the IPsec policy at one end and IPsec policy template at the other end.

Applying an IPsec Policy

This section describes how to apply an IPsec policy to a tunnel interface to implement security protection on different data flows.

Verifying the Configuration of Automatic IPsec SA Negotiation (IKE)

Verify the configurations of automatic IPsec SA negotiation (IKE).