Command Reference Guide
166 ● ipsec policy (System view) 3Com Router 5000 Family and Router 6000 Family
Command Reference
Description Use the ipsec policy policy-name seq-number isakmp template
template-name command to establish an ipsec policy according the template
through IKE negotiation. Before using this command, the template should have
been created. During the negotiation and policy matching, the parameters defined in
the template should be compliant, the other parameters are decided by the initiator.
The proposal must be defined in policy template, other parameters are optional.
To establish an ipsec policy, it is necessary to specify the negotiation mode (manual or
isakmp). To modify the ipsec policy, it is not necessary to specify a negotiation mode.
Once the ipsec policy is established, its negotiation mode cannot be modified. For
example: if an ipsec policy is established in manual mode, it cannot be changed to
isakmp mode--this ipsec policy must be deleted and then recreated, if appropriate,
with the negotiation mode being isakmp.
Ipsec policies with the same name constitute an ipsec policy group. The name and
sequence number are used together to define a unique ipsec policy. In an ipsec policy
group, at most 100 ipsec policies can be set. In an ipsec policy, the smaller the
sequence number of an ipsec policy is, the higher is its preference. Apply an ipsec
policy group at an interface means applying all ipsec policies in the group
simultaneously, so that different data streams can be protected by adopting different
SAs.
CAUTION:
■ IKE will not use a policy with a template argument to initiate a negotiation. Rather,
it uses such a policy to response the negotiation initiated by its peer.
■ The number of an IPSec policy configured by referencing an IPSec policy template
must be greater than that of an IPSec policy not configured in that way.
Otherwise, the responding party can find a match and the negotiation fails.
Related Commands ■ display ipsec policy
■ ike peer (IPSec Policy view or IPSec Policy Template view)
■ ipsec policy (Interface view)
■ ipsec policy-template
■ proposal
■ sa duration
■ security acl
■ tunnel local
■ tunnel remote