Applying an IPsec Policy

This section describes how to apply an IPsec policy to a tunnel interface to implement security protection on different data flows.

Context

If an IPsec policy is applied to an interface through IKE negotiation, an SA is not established immediately. IKE starts to negotiate an IPsec SA only when the data flow that matches a certain IPsec policy is sent from the interface.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run service-location service-location-id

    A VSM HA backup group is created, and its view is displayed.

  3. Run the location slot slot-id command to bind the backup group to the CPU of the .

  4. Run commit

    The configuration is committed.

  5. Run quit

    Return to the system view.

  6. Run service-instance-group service-instance-group-name

    A VSM HA service instance group is created, and its view is displayed.

  7. Run service-location service-location-id

    The VSM HA backup group is bound to the VSM HA service instance group.

  8. Run commit

    The configuration is committed.

  9. Run quit

    Return to the system view.

  10. Run interface tunnel tunnel-number

    A tunnel interface is created, and the tunnel interface view is displayed.

    You need to create a tunnel interface first. An IPSec policy can be applied only to a tunnel interface, but not to a physical interface.

  11. Run tunnel-protocol ipsec

    IPsec is configured on the tunnel interface.

  12. Run either of the following commands to configure an IP address for the tunnel interface:

    • Run the ip address ip-address mask command to configure an IP address for the tunnel interface.

    • Run the ip address unnumbered interface interface-type interface-number command to configure the tunnel interface to borrow an IP address from another interface.

    If an available IP address exists on a device, run the first command to configure an IP address for the tunnel interface. The second command is run only when no available IP address exists on a device.

    The second command may bring the following risks:
    • If a tunnel interface that has been configured with the tunnel-protocol ipsec command borrows an IP address from a physical or logical interface, the interface cannot be bound to other services. Otherwise, other services are also diverted to the IPsec tunnel.
    • If the IP address of another physical or logical interface is borrowed and the IP address of the interface changes, IPsec negotiation fails.
    • If the IP address of a physical interface is borrowed and the physical interface alternates between up and down, IPsec negotiation may fail.

  13. Run ipsec policy policy-name service-instance-group service-group-name

    An IPsec policy is applied to the interface.

    To use IPsec on a DSVPN-enabled interface, run the ipsec policy profile-name service-instance-group service-group-name [ share ] command to bind an IPsec profile to the interface.

    Generally, an IPsec profile can be applied to only one interface. In a scenario where multiple mGRE tunnels of a DSVPN share the same source, if you need to apply the same IPsec profile to multiple tunnel interfaces for IPsec tunnel sharing, specify the share parameter when running this command.

    The share parameter can be used only in this scenario. In addition, mGRE tunnels with the same source address must be configured with different keys. In addition, you need to run the tunnel-protocol gre p2mp command and the source [ source-ip-address | { interface-name | interface-type interface-number } ] command on the tunnel interface.

    DSVPN is supported only on the NetEngine 8000 F1A.

  14. (Optional) Run ipsec generate-service-route

    Automatic IPsec service route generation is enabled.

    Automatic IPsec service route generation is mainly applied to the following two scenarios:

    • When a security policy is used to establish IPsec tunnels, you may not know the IPsec service route information of the remote end (such as the IP address and interface of the remote end). Therefore, static routes cannot be configured manually. In this case, run the ipsec generate-service-route command to enable the function of automatic IPsec service route generation.

    • When IPsec tunnels are established using an IPsec policy template, IPsec service routes will be generated during the IPsec negotiation. If you want to generate IPsec service routes by configuring static routes, you can run the undo ipsec generate-service-route command to disable the function of automatic IPsec service route generation first.

  15. Run commit

    The configuration is committed.

Parent Topic: Configuring Automatic IPsec SA Negotiation (IKE)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >