Applying An Ipsec Policy Group To An Interface; Binding An Ipsec Policy (Group) To An Encryption Card - 3Com MSR 50 Series Configuration Manual

3com msr 30-16: software guide

Hide thumbs Also See for MSR 50 Series:

Safety information manual (12 pages)

Table of Contents

Applying an IPSec

Policy Group to an

Binding an IPSec Policy

(Group) to an

Encryption Card

An IPSec policy group is a collection of IPSec policies with the same name but

different sequence numbers. In an IPSec policy group, an IPSec policy with a

smaller sequence number has a higher priority.

You can apply an IPSec policy group to an interface (logical or physical) to protect

certain data flows. To cancel the IPSec protection, remove the application of IPSec

policy group.

For each packet to be sent out through an IPSec protected interface, the system

checks the IPSec policies of the IPSec policy group in the ascending order of

sequence numbers. If it finds an IPSec policy whose ACL matches the packet, it

uses the IPSec policy to protect the packet. If it finds no ACL of the IPSec polices

matches the packet, it does not provide protection for the packet and sends the

packet out directly.

In addition to physical interfaces like serial ports and Ethernet ports, an IPSec

policy can be applied to virtual interfaces such as tunnel interfaces and virtual

template interfaces. Therefore, an IPSec policy can be used on the tunnels like GRE

tunnels and L2TP tunnels as needed.

Follow these steps to apply an IPSec policy group to an interface:

Enter system view

Enter interface view

Apply an IPSec policy group to the

An interface can reference only one IPSec policy group. An IKE-dependent IPSec

policy can be applied to more than one interface while a manual IPSec policy can

be applied to only one interface.

To provide data authentication, encryption and decryption through an encryption

card, you need to bind the IPSec policy or the IPSec policy group for the SAs to the

encryption card. By binding the IPSec policy or IPSec policy group to multiple

encryption cards, you can implement redundancy and improve resiliency.

You can specify an encryption card as the primary card for an IPSec policy or IPSec

policy group, and you can specify the primary card for an IPSec policy or IPSec

policy group repeatedly. However, only the last one takes effect. An IPSec policy or

an IPSec policy group uses the bound primary card to provide security services. If

there is no primary card, an IPSec policy or IPSec policy group prefers the first

available encryption card that is bound to it. Once an IPSec policy or IPSec policy

group takes a second encryption card as the primary card, the new primary card

begins to provide security services immediately.

If you remove the binding of an IPSec policy or policy group to an encryption card,

the matched packets will no longer be serviced by the card.

Follow these steps to bind an IPSec policy or policy group to an encryption card: