Configuring An Ipsec Proposal - HP 12500 Series Configuration Manual

The peer with the narrower rule initiates SA negotiation. If a wider ACL rule is used by the SA
•
initiator, the negotiation request may be rejected because the matching traffic is beyond the scope
of the responder. As shown in
accepted but the SA negotiations from Host C to Host B or from Host D to Host A is rejected.
Figure 63 Non-mirror image ACLs
Protection mode
Data flows can be protected in standard mode, where one tunnel protects one data flow. The data flow
permitted by an ACL rule is protected by one tunnel that is established solely for it. The standard data
flow protection mode is available only for FIPS mode.
For more information about ACL configuration, see ACL and QoS Configuration Guide.
To use IPsec in combination with QoS, make sure that IPsec's ACL classification rules match the QoS
classification rules. If the rules do not match, QoS may classify the packets of one IPsec SA to different
queues, causing packets to be sent out of order. When the anti-replay function is enabled, IPsec will
discard the packets beyond the anti-replay window in the inbound direction, resulting in packet loss. For
more information about QoS classification rules, see ACL and QoS Configuration Guide.

Configuring an IPsec proposal

An IPsec proposal, part of an IPsec policy, defines the security parameters for IPsec SA negotiation,
including the security protocol, the encryption and authentication algorithms, and the encapsulation
mode.
You can configure up to 10000 IPsec proposals in the system.
To configure an IPsec proposal:
Step
1. Enter system view.
2. Create an IPsec proposal and
enter its view.
Figure 63, the SA negotiation initiated by Host A to Host C is
Command
system-view
ipsec proposal proposal-name
172
Remarks
N/A
By default, no IPsec proposal
exists.