Applying An Ipsec Policy Group To An Interface; Configuring The Ipsec Session Idle Timeout - HP 12500 Series Configuration Manual
Routing
Hide thumbs
Also See for 12500 Series:
- Configuration manual (402 pages) ,
- Network management and monitoring command reference (320 pages) ,
- Command reference manual (157 pages)
Table of Contents
Advertisement
Step
11.
Set the global SA lifetime.
Applying an IPsec policy group to an interface
This function is available only for FIPS mode.
An IPsec policy group is a collection of IPsec policies with the same name but different sequence numbers.
In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.
You can apply an IPsec policy group to a logical or physical interface to protect certain data flows. To
cancel the IPsec protection, remove the application of the IPsec policy group.
For each packet to be sent out an IPsec protected interface, the system looks through the IPsec policies in
the IPsec policy group in ascending order of sequence numbers. If an IPsec policy matches the packet,
the system uses the IPsec policy to protect the packet. If no match is found, the system sends the packet out
without IPsec protection.
An interface can reference only one IPsec policy group. An IPsec policy that uses IKE can be applied to
more than one interface, but a manual IPsec policy can be applied to only one interface.
To apply an IPsec policy group to an interface:
Step
1.
Enter system view.
2.
Enter interface view.
3.
Apply an IPsec policy group
to the interface.
Configuring the IPsec session idle timeout
An IPsec session is created when the first packet matching an IPsec policy arrives. Also created is an IPsec
session entry, which records the quintuplet (source IP address, destination IP address, protocol number,
source port, and destination port) and the matched IPsec tunnel.
An IPsec session is automatically deleted after the idle timeout expires.
Subsequent data flows search the session entries according to the quintuplet to find a matched item. If
found, the data flows are processed according to the tunnel information. Otherwise, they are processed
according to the original IPsec process: search the policy group or policy at the interface, and then the
matched tunnel.
The session processing mechanism of IPsec saves intermediate matching procedures, improving the IPsec
forwarding efficiency.
Command
ipsec sa global-duration
{ time-based seconds |
traffic-based kilobytes }
Command
system-view
interface interface-type
interface-number
ipsec policy policy-name
178
Remark
Optional.
3600 seconds for time-based SA
lifetime by default.
1843200 kilobytes for
traffic-based SA lifetime by default.
This command is available only for
FIPS mode.
Remarks
N/A
Only VLAN interfaces and Layer 3
Ethernet interfaces support an IPsec
policy group.
N/A
Advertisement
Table of Contents
Troubleshooting
