Applying an ipsec policy group to an interface – H3C Technologies H3C SecPath F1000-E User Manual

181

Step Command

Remark

6.

Enable and configure the

perfect forward secrecy
feature for the IPsec policy.

pfs { dh-group1 |
dh-group2 | dh-group5 |

dh-group14 }

Optional
By default, the PFS feature is not used for

negotiation. In FIPS mode, the firewall
does not support the dh-group1 keyword.
For more information about PFS, see
"Configuring IKE."

7.

Configure the SA lifetime.

sa duration { time-based
seconds | traffic-based
kilobytes }

Optional.
By default, the global SA lifetime settings
are used.

8.

Set the anti-replay information
synchronization intervals in

IPsec stateful failover mode.

synchronization
anti-replay-interval inbound

inbound-number outbound
outbound-number

Optional.
By default, the inbound anti-replay
window information is synchronized

whenever 1000 packets are received,

and the outbound anti-replay sequence
number is synchronized whenever

100000 packets are sent.

9.

Enable the IPsec policy.

policy enable

Optional.
Enabled by default.

10.

Return to system view.

quit

N/A

11.

Configure the global SA

lifetime.

ipsec sa global-duration
{ time-based seconds |
traffic-based kilobytes }

Optional.
3600 seconds for time-based SA lifetime

by default
1843200 kilobytes for traffic-based SA
lifetime by default

12.

Create an IPsec policy by
referencing an IPsec policy

template.

ipsec policy policy-name
seq-number isakmp

template template-name

By default, no IPsec policy exists.

Applying an IPsec policy group to an interface

An IPsec policy group is a collection of IPsec policies with the same name but different sequence numbers.

In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.
You can apply an IPsec policy group to a logical or physical interface to protect certain data flows. To

cancel the IPsec protection, remove the application of the IPsec policy group.
For each packet to be sent out an IPsec protected interface, the system looks through the IPsec policies in

the IPsec policy group in ascending order of sequence numbers. If an IPsec policy matches the packet,

the system uses the IPsec policy to protect the packet. If no match is found, the system sends the packet out

without IPsec protection.
In addition to physical interfaces like serial and Ethernet ports, you can apply an IPsec policy to virtual

interfaces, such as tunnel and virtual template interfaces, to tunnel applications such as GRE and L2TP.
To apply an IPsec policy group to an interface: