248Step Command Remarks6. (Optional.) Enable the PerfectForward Secrecy (PFS) featurefor the IPsec policy.• In non-FIPS mode:pfs { dh-group1 | dh-group2 |dh-group5 | dh-group14 |dh-group24 }• In FIPS mode:pfs dh-group14By default, the PFS feature is notused for SA negotiation.For more information about PFS,see "Configuring IKE."The security level of localDiffie-Hellman group must behigher than or equal that of thepeer.The end without the PFS featureperforms SA negotiation accordingto the PFS requirements of the peerend.Configuring a manual IPsec policyIn a manual IPsec policy, the parameters are configured manually, such as the keys, the SPIs, and the IPaddresses of the two ends in tunnel mode.Configuration restrictions and guidelinesMake sure the IPsec configurations at the two ends of an IPsec tunnel meet the following requirements:• The IPsec policies at the two ends must have IPsec transform sets that use the same security protocols,security algorithms, and encapsulation mode.• The remote IPv4 address configured on the local end must be the same as the primary IPv4 addressof the interface applied with the IPsec policy at the remote end. The remote IPv6 address configuredon the local end must be the same as the first IPv6 address of the interface applied with the IPsecpolicy at the remote end.• At each end, configure parameters for both the inbound SA and the outbound SA, and make surethe SAs in each direction are unique: For an outbound SA, make sure its triplet (remote IP address,security protocol, and SPI) is unique. For an inbound SA, make sure its SPI is unique.• The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is trueof the local outbound SA and remote inbound SA.• The keys for the local and remote inbound and outbound SAs must be in the same format. Forexample, if the local inbound SA uses a key in characters, the local outbound SA and remoteinbound and outbound SAs must use keys in characters.Configuration procedureTo configure a manual IPsec policy:Step Command Remarks1. Enter system view. system-view N/A2. Create a manual IPsecpolicy entry and enter itsview.ipsec { ipv6-policy | policy }policy-name seq-number manual By default, no IPsec policy exists.3. (Optional.) Configure adescription for the IPsecpolicy.description text By default, no description is configured.