Configuring An Acl; Configuring An Ipsec Transform Set - HPE FlexNetwork 5510 HI Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 5510 HI Series:
- Configuration manual (572 pages) ,
- Mpls configuration manual (505 pages) ,
- Layer 3 - ip routing configuration manual (486 pages)
Table of Contents
Advertisement
Configuring an ACL
IPsec uses ACLs to identify the traffic to be protected.
Keywords in ACL rules
An ACL is a collection of ACL rules. Each ACL rule is a deny or permit statement. A permit statement
identifies a data flow protected by IPsec, and a deny statement identifies a data flow that is not
protected by IPsec. With IPsec, a packet is matched against the ACL rules and processed according
to the first rule that it matches:
•
Each ACL rule matches both the outbound traffic and the returned inbound traffic.
•
In the outbound direction, if a permit statement is matched, IPsec considers that the packet
requires protection and continues to process it. If a deny statement is matched or no match is
found, IPsec considers that the packet does not require protection and delivers it to the next
module.
•
In the inbound direction:
Non-IPsec packets that match a permit statement are dropped.
IPsec packets that match a permit statement and are destined for the device itself are
de-encapsulated. By default, the device matches the de-encapsulated packets against the
ACL again and, if they match a permit statement, continues to process the packets. If ACL
checking for de-encapsulated packets is disabled, the device directly processes the
de-encapsulated packets without matching against the ACL.
When defining ACL rules for IPsec, follow these guidelines:
•
Permit only data flows that need to be protected and use the any keyword with caution. With the
any keyword specified in a permit statement, all outbound traffic matching the permit statement
will be protected by IPsec. All inbound IPsec packets matching the permit statement will be
received and processed, but all inbound non-IPsec packets will be dropped. This will cause all
the inbound traffic that does not need IPsec protection to be dropped.
•
Avoid statement conflicts in the scope of IPsec policy entries. When creating a deny statement,
be careful with its matching scope and matching order relative to permit statements. The policy
entries in an IPsec policy have different match priorities. ACL rule conflicts between them are
prone to cause mistreatment of packets. For example, when configuring a permit statement for
an IPsec policy entry to protect an outbound traffic flow, you must avoid the situation that the
traffic flow matches a deny statement in a higher priority IPsec policy entry. Otherwise, the
packets will be sent out as normal packets. If they match a permit statement at the receiving
end, they will be dropped by IPsec.
Mirror image ACLs
To make sure SAs can be set up and the traffic protected by IPsec can be processed correctly
between two IPsec peers, create mirror image ACLs on the IPsec peers.
Configuring an IPsec transform set
An IPsec transform set, part of an IPsec policy, defines the security parameters for IPsec SA
negotiation, including the security protocol, encryption algorithms, and authentication algorithms.
Changes to an IPsec transform set affect only SAs negotiated after the changes. To apply the
changes to existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be
set up by using the updated parameters.
To configure an IPsec transform set:
Step
1.
Enter system view.
Command
system-view
265
Remarks
N/A
- Quick Links:
- Radius
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
