Configuring Acls - HP 5120 SI Series Security Configuration Manual

Task
Configuring the IPsec session idle timeout
Enabling ACL checking of de-encapsulated IPsec packets
Configuring the IPsec anti-replay function
Configuring packet information pre-extraction
CAUTION:
Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and
50 respectively. Make sure that flows of these protocols are not denied on the interfaces with IKE or IPsec
configured.

Configuring ACLs

ACLs can be used to identify traffic. They are widely used in scenarios where traffic identification is
desired, such as QoS and IPsec.
Keywords in ACL rules
IPsec uses ACLs to identify data flows. An ACL is a collection of ACL rules. Each ACL rule is a deny or
permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement
identifies a data flow that is not protected by IPsec. With IPsec, a packet is matched against the
referenced ACL rules and processed according to the first rule that it matches:
Each ACL rule matches both the outbound traffic and the returned inbound traffic. For the outbound
•
traffic, IPsec uses the source and destination IP addresses specified in the rule to match the source
and destination IP addresses of the traffic. For the returned inbound traffic, IPsec uses the destination
IP address and the source IP address specified in the rule to match the source IP address and the
destination IP address of the traffic.
In the outbound direction, if a permit statement is matched, IPsec considers that the packet requires
•
protection and continues to process it. If a deny statement is matched or no match is found, IPsec
considers that the packet does not require protection and delivers it to the next function module.
In the inbound direction:
•
Non-IPsec packets that match a permit statement are dropped.
IPsec packets that match a permit statement and are destined for the device itself are
de-encapsulated and matched against the rule again. Only those that match a permit
statement are processed by IPsec.
When you configure an ACL for IPsec, follow these guidelines:
• Permit only data flows that need to be protected and use the any keyword with caution. With the
any keyword specified in a permit statement, all outbound traffic matching the permit statement will
be protected by IPsec and all inbound IPsec packets matching the permit statement will be received
and processed, but all inbound non-IPsec packets will be dropped. This will cause the inbound
traffic that does not need IPsec protection to be all dropped.
Avoid statement conflicts in the scope of IPsec policy groups. When creating a deny statement, be
•
careful with its matching scope and matching order relative to permit statements. The policies in an
IPsec policy group have different match priorities. ACL rule conflicts between them are prone to
cause mistreatment of packets. For example, when configuring a permit statement for an IPsec
policy to protect an outbound traffic flow, you must avoid the situation that the traffic flow matches
344
Remarks
Optional.
Optional.
Optional.
Optional.