Configuring An Ipsec Transform Set - HP 6600 Security Configuration Manual

Figure 96 Non-mirror image ACLs
Protection modes
Data flows can be protected in the following modes:
Standard mode—One tunnel protects one data flow. The data flow permitted by an ACL rule is
•
protected by one tunnel that is established solely for it.
Aggregation mode—One tunnel protects all data flows permitted by all the rules of an ACL. This
•
mode is configurable only when IKE is used for IPsec policy negotiation. When the device at one
end of a tunnel runs Comware V3 software and the device at the other end runs Comware V5
software, you can configure only the aggregation mode on both devices.
For more information about ACL configuration, see ACL and QoS Configuration Guide.
To use IPsec in combination with QoS, make sure that IPsec's ACL classification rules match the QoS
classification rules. If the rules do not match, QoS may classify the packets of one IPsec SA to different
queues, causing packets to be sent out of order. When the anti-replay function is enabled, IPsec will
discard the packets beyond the anti-replay window in the inbound direction, resulting in packet loss. For
more information about QoS classification rules, see ACL and QoS Configuration Guide.

Configuring an IPsec transform set

An IPsec transform set, part of an IPsec policy or an IPsec profile, defines the security parameters for IPsec
SA negotiation, including the security protocol, and the encryption and authentication algorithms.
To configure an IPsec transform set:
Step
1. Enter system view.
2. Create an IPsec transform set
and enter its view.
3. Specify the security protocol
for the IPsec transform set.
Command
system-view
ipsec transform-set
transform-set-name
transform { ah | ah-esp | esp }
258
Remarks
N/A
By default, no IPsec transform set
exists.
You can create up to 10000 IPsec
transform sets.
Optional.
ESP by default.