250Configuring an IKE-based IPsec policyIn an IKE-based IPsec policy, the parameters are automatically negotiated through IKE.To configure an IKE-based IPsec policy, use one of the following methods:• Directly configure it by configuring the parameters in IPsec policy view.• Configure it by referencing an existing IPsec policy template with the parameters to be negotiatedconfigured.A device referencing an IPsec policy that is configured in this way cannot initiate an SAnegotiation, but it can respond to a negotiation request. The parameters not defined in thetemplate are determined by the initiator. When the remote end's information (such as the IPaddress) is unknown, this method allows the remote end to initiate negotiations with the local end.Configuration restrictions and guidelinesTo guarantee successful SA negotiations, make sure the IPsec configurations at the two ends of an IPsectunnel meet the following requirements:• The IPsec policies at the two tunnel ends must have IPsec transform sets that use the same securityprotocols, security algorithms, and encapsulation mode.• The IPsec policies at the two tunnel ends must have the same IKE profile parameters.• An IKE-based IPsec policy can reference up to six IPsec transform sets. During an IKE negotiation,IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no matchis found, no SA can be set up, and the packets expecting to be protected will be dropped.• The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is optionalon the responder. The remote IP address specified on the local end must be the same as the localIP address specified on the remote end.For an IPsec SA established through IKE negotiation:• The IPsec SA uses the local lifetime settings or those proposed by the peer, whichever are smaller.• The IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expireswhen either lifetime expires.Directly configuring an IKE-based IPsec policyStep Command Remarks1. Enter system view. system-view N/A2. Create an IKE-based IPsecpolicy entry and enter its view.ipsec { ipv6-policy | policy }policy-name seq-number isakmp By default, no IPsec policy exists.3. (Optional.) Configure adescription for the IPsecpolicy.description text By default, no description isconfigured.4. Specify an ACL for the IPsecpolicy.security acl [ ipv6 ] { acl-number |name acl-name } [ aggregation |per-host ]By default, no ACL is specified forthe IPsec policy.An IPsec policy can reference onlyone ACL.