CLIA: Clasificaci´ on por an´ alisis local de la fiabilidad

l If the IPSec proposal employs the Authentication Header (AH) protocol, the keyword ah

the Encapsulating Security Payload (ESP) protocol, the keyword esp is adopted for the authentication key, encryption key, and the SPI of the SA.

l You can enter the key either in the character string format or in the hexadecimal format. If

you enter the key in both formats, the latest key is effective. You must enter the key in the same format at the two ends of a security tunnel. If the key formats are different, the security tunnel cannot be set up.

l You can set or modify the local address of an IPSec policy group only before the group is

applied to an interface. Do not set the local address for the IPSec policy group that is applied to the IPSec tunnel interface. Do not set the local address for the IPSec policy that employs the transmission encapsulation mode. The interface whose IP address is used as the local address of the IPSec policy group must be a loopback interface. In addition, a valid IP address must be set for the loopback interface, and a target board and the IPSec tunnel protocol must be bound with the loopback interface.

l For the same data flow, the same protocol, algorithm, encapsulation mode, IPSec proposal,

encryption key, and authentication key must be employed for both communication parties. Otherwise, the communication fails.

Data Planning

No. Data

1 Name of the IPSec policy and specify

whether the manual mode or IKE negotiation mode is adopted

2 ACL used by the IPSec policy

3 IPSec proposal used by the IPSec policy

4 SPI, key, and peer IP address of the security

tunnel in manual mode

5 IKE peer name, SA lifetime, and Diffie-

Hellman algorithm (DH) group for PFS in IKE negotiation mode

Operation Procedure

Manual configuration mode

1. Run ipsec policy to create an IPSec policy and enter the view. 2. Run security acl to set the ACL used by the IPSec policy. 3. Run proposal to set the IPSec proposal used by the IPSec policy.

4. Run sa string-key to set the authentication key of the SA in manual configuration mode. Type a character string as the key. If you specify ah, the key is the AH authentication key. AH does not support packet encryption, and therefore no encryption key is required. If you specify esp, the key is the ESP authentication key and encryption key.

6. Run sa encryption-hex to set the encryption key of the ESP protocol in manual

configuration mode. Type a hexadecimal string as the key. This command is applicable to ESP only. AH does not support packet encryption.

7. Run sa spi to set the SPI of the SA in manual configuration mode. 8. Run tunnel remote to set the peer IP address of the tunnel.

9. Run ipsec policy local-address in the system view to set the local address of the IPSec policy group. You can also specify the name, interface type, and interface number of the IPSec policy. The interface whose IP address is used as the local address of the IPSec policy group must be a loopback interface. For the configuration procedure of a loopback interface, see 6.8.1 Creating the Loopback Interface.

NOTE

If the local address of the IPSec policy group is specified, the IP address of the specified interface is used as the local address of the IPSec tunnel. If the local address of the IPSec policy group is not specified, the IP address of the interface to which the IPSec policy is applied is used as the local address of the IPSec tunnel.

IKE negotiation mode NOTE

You must create an IKE peer before employing the IKE negotiation mode. For details, see 6.9.4 Configuring the IKE Peer Attributes.

1. Run ipsec policy to create an IPSec policy and enter the view. 2. Run security acl to set the ACL used by the IPSec policy. 3. Run proposal to set the IPSec proposal used by the IPSec policy.

4. Run ike-peer to set the IKE peer used in the IPSec policy in IKE negotiation mode. 5. Run pfs to set the PFS feature of the IPSec policy template in IKE negotiation mode. 6. Run sa duration to set the lifetime of the SA.

NOTE

l In the case of SA generation through the IKE negotiation, if the IPSec policy is not configured with a lifetime, the global SA lifetime configured with ipsec sa global-duration can be used for the negotiation with the peer.

l A new lifetime does not affect the established SAs but will be employed to establish new SAs in later IKE negotiation.

7. Run ipsec policy local-address in the system view to set the local address of the IPSec policy group. You can also specify the name, interface type, and interface number of the IPSec policy. The interface whose IP address is used as the local address of the IPSec policy group must be a loopback interface. For the configuration procedure of a loopback interface, see 6.8.1 Creating the Loopback Interface.

NOTE

If the local address of the IPSec policy group is specified, the IP address of the specified interface is used as the local address of the IPSec tunnel. When the IPSec policy group is applied to multiple interfaces, these interfaces employ the same SA to protect the same data flows. If the local address of the IPSec policy group is not specified, the IP address of the interface to which the IPSec policy is applied is used as the local address of the IPSec tunnel. The interfaces generate their respective SAs to protect the same data flows.