Applying An Ipsec Policy To An Interface; Enabling Acl Checking For De-Encapsulated Packets - HPE FlexNetwork 5510 HI Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 5510 HI Series:
- Configuration manual (572 pages) ,
- Mpls configuration manual (505 pages) ,
- Layer 3 - ip routing configuration manual (486 pages)
Table of Contents
Advertisement
Step
13. Return to system view.
14. Configure the global SA
lifetime.
15. (Optional.) Enable the global
IPsec
feature, and set the global
SA idle timeout.
16. Create an IPsec policy by
using
template.
Applying an IPsec policy to an interface
You can apply an IPsec policy to an interface to protect certain data flows. To cancel the IPsec
protection, remove the application of the IPsec policy. In addition to VLAN interfaces, you can apply
an IPsec policy to tunnel interfaces to protect applications such as GRE.
For each packet to be sent out of an interface applied with an IPsec policy, the interface looks
through the IPsec policy entries in the IPsec policy in ascending order of sequence numbers. If the
packet matches the ACL of an IPsec policy entry, the interface uses the IPsec policy entry to protect
the packet. If no match is found, the interface sends the packet out without IPsec protection.
When the interface receives an IPsec packet whose destination address is the IP address of the
local device, it searches for the inbound IPsec SA according to the SPI carried in the IPsec packet
header for de-encapsulation. If the de-encapsulated packet matches the permit rule of the ACL, the
device processes the packet. Otherwise, it drops the packet.
An interface can have only one IPsec policy applied. An IKE-based IPsec policy can be applied to
more than one interface, but a manual IPsec policy can be applied to only one interface.
To apply an IPsec policy to an interface:
Step
1.
Enter system view.
2.
Enter interface view.
3.
Apply an IPsec policy to the
interface.
Enabling ACL checking for de-encapsulated packets
This feature uses the ACL in the IPsec policy to match the IP packets that are de-encapsulated from
incoming IPsec packets in tunnel mode, and it discards the IP packets that fail to match the ACL to
avoid attacks using forged packets.
Command
quit
ipsec
{
traffic-based kilobytes }
SA
idle
timeout
ipsec sa idle-time seconds
ipsec { ipv6-policy | policy }
the
IPsec
policy
policy-name seq-number isakmp
template template-name
Command
system-view
interface
interface-number
ipsec
ipv6-policy } policy-name
sa
global-duration
time-based
seconds
interface-type
apply
{
policy
273
Remarks
N/A
By default, time-based SA lifetime
is
3600
seconds,
|
traffic-based
SA
1843200 kilobytes.
By default, the global IPsec SA
idle timeout feature is disabled.
By default, no IPsec policy exists.
Remarks
N/A
N/A
By default, no IPsec policy is
applied to the interface.
An interface can have only one
|
IPsec policy applied.
An IKE-mode IPsec policy can be
applied to multiple interfaces, and
a manual IPsec policy can be
applied to only one interface.
and
lifetime
is
- Quick Links:
- Radius
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
