Protocols And Standards; Ipsec Tunnel Establishment - HP 5920 Series Configuration Manual
Hide thumbs
Also See for 5920 Series:
- Command reference manual (607 pages) ,
- Configuration manual (322 pages) ,
- Fc and fcoe configuration manual (257 pages)
Table of Contents
Advertisement
ACL-based IPsec
To implement ACL-based IPsec, configure an ACL to define the data flows to be protected, reference the
ACL in an IPsec policy, and then apply the IPsec policy to an interface. When packets sent by the
interface match the permit rule of the ACL, the packets are protected by the outbound IPsec SA and
encapsulated with IPsec. When the interface receives an IPsec packet whose destination address is the
IP address of the local device, it searches for the inbound IPsec SA according to the SPI carried in the
IPsec packet header for de-encapsulation. If the de-encapsulated packet matches the permit rule of the
ACL, the device processes the packet. Otherwise, it drops the packet.
The device supports the following data flow protection modes:
Standard mode—One IPsec tunnel protects one data flow. The data flow permitted by an ACL rule
•
is protected by one IPsec tunnel that is established solely for it.
•
Aggregation mode—One IPsec tunnel protects all data flows permitted by all the rules of an ACL.
This mode is only used to communicate with old-version devices.
Per-host mode—One IPsec tunnel protects one host-to-host data flow. One host-to-host data flow is
•
identified by one ACL rule and protected by one IPsec tunnel established solely for it. This mode
consumes more system resources when multiple data flows exist between two subnets to be
protected.
Application-based IPsec
This IPsec implementation method does not require any ACL. All packets of the application bound to an
IPsec policy are encapsulated with IPsec, and all packets of the applications that are not bound with IPsec
and the IPsec packets that failed to be de-encapsulated are dropped.
You can use IPsec to protect an IPv6 routing protocol by using this method. The supported IPv6 routing
protocols include OSPFv3, IPv6 BGP, and RIPng.
In one-to-many communication scenarios, you must configure the IPsec SAs for an IPv6 routing protocol
in manual mode because of the following reasons:
The automatic key exchange mechanism is only used to protect communications between two
•
points. In one-to-many communication scenarios, automatic key exchange cannot be implemented.
•
One-to-many communication scenarios require that all the devices use the same SA parameters (SPI
and key) to receive and send packets. IKE negotiated SAs cannot meet this requirement.
Protocols and standards
RFC 2401, Security Architecture for the Internet Protocol
•
RFC 2402, IP Authentication Header
•
•
RFC 2406, IP Encapsulating Security Payload
RFC 4552, Authentication/Confidentiality for OSPFv3
•
IPsec tunnel establishment
IPsec tunnels can be established in different methods. Choose a correct method to establish IPsec tunnels
according to your network conditions:
ACL-based IPsec tunnel—Protects packets identified by an ACL. To establish an ACL-based IPsec
•
tunnel, configure an IPsec policy, reference an ACL in the policy, and apply the policy to an
224
- Quick Links:
- Configuration Guide
- Configuring Local Users
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
