Configuring An Ipsec Profile - HP A6600 Configuration Manual
Hide thumbs
Also See for A6600:
- Configuration manual (426 pages) ,
- Getting started (222 pages) ,
- Limited warranty (41 pages)
Table of Contents
Advertisement
Task
Enabling packet information pre-extraction on the IPsec tunnel interface
Applying a QoS policy to an IPsec tunnel interface
Enabling the encryption engine
Configuring the IPsec anti-replay function
Configuring an IPsec profile
As described previously, an IPsec policy is uniquely identified by its name and sequence number. An
IPsec policy group is a collection of IPsec policies with the same name but different sequence numbers.
In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority. After an
IPsec policy group is applied to an interface, for each packet arriving at the interface, the system checks
the IPsec policies of the IPsec policy group in the ascending order of sequence numbers. One IPsec
tunnel is established for each data flow to be protected, and multiple IPsec tunnels may exist on an
interface.
An IPsec profile is similar to an IPsec policy. The difference is that an IPsec profile is uniquely identified
by its name, and it does not support ACL configuration. An IPsec profile defines the IPsec proposal to be
used for protecting data flows and specifies the parameters for IKE negotiation. After an IPsec profile is
applied to an IPsec tunnel interface, only one IPsec tunnel is set up to protect all data flows that are
routed to the tunnel.
IPsec profiles can be applied to only DVPN interfaces and IPsec tunnel interfaces. The IPsec tunnel
established using an IPsec profile protects all IP data routed to the tunnel interface.
Before configuring an IPsec profile, complete the following tasks:
IPsec proposal configuration. For more information, see
•
IKE peer configuration. For more information, see
•
The parameters for the local and remote ends must match.
NOTE:
During an IKE negotiation based on an IPsec profile, the source and destination addresses of the
•
IPsec tunnel interface are used as the local and remote addresses; local-address and remote-
address configured for IKE negotiation do not take effect.
If you do not configure the destination address of the IPsec tunnel interface, the local peer can only
•
be an IKE negotiation responder; it cannot initiate an IKE negotiation.
DVPN is a technology when VPN is established between enterprise branches that use dynamic
•
addresses to access the public network. For more information, see
Guide
.
To configure an IPsec profile:
To do...
1.
Enter system view.
2.
Create an IPsec profile and
enter its view.
"Configuring
Command...
system-view
ipsec profile profile-name
264
Remarks
Optional
Optional
Optional
Optional
"Configuring an IPsec
proposal."
IKE."
Layer 3—IP Services Configuration
Remarks
—
Required.
By default, no IPsec profile exists.
Advertisement
Table of Contents
Troubleshooting
