Implementing Acl-Based Ipsec - HPE FlexNetwork MSR Series Configuration Manual
Comware 7 security
Hide thumbs
Also See for FlexNetwork MSR Series:
- Configuration manual (861 pages) ,
- Comware 7 layer 3 - ip services configuration manuals (554 pages) ,
- Comware 5 security configuration manual (547 pages)
Table of Contents
Advertisement
IPsec tunnels can be established in different methods. Choose a correct method to establish IPsec
tunnels according to your network conditions:
•
ACL-based IPsec tunnel—Protects packets identified by an ACL. To establish an ACL-based
IPsec tunnel, configure an IPsec policy, specify an ACL in the policy, and apply the policy to an
interface (see
same in an IPv4 network and in an IPv6 network.
•
Tunnel interface-based IPsec tunnel—Protects packets routed to the tunnel interface. To
establish a tunnel interface-based IPsec tunnel, configure an IPsec profile and apply the IPsec
profile to the tunnel interface (see
simplifies IPsec VPN configuration and management, and improves the scalability of large VPN
networks.
•
Application-based IPsec tunnel—Protects the packets of an application. This method can be
used to protect IPv6 routing protocols. It does not require an ACL. For information about IPv6
routing protocol protection, see
Implementing ACL-based IPsec
Use the following procedure to implement ACL-based IPsec:
1.
Configure an ACL for identifying data flows to be protected. To use IPsec to protect VPN traffic,
you do not need to specify the VPN parameters in the ACL rules.
2.
Configure IPsec transform sets to specify the security protocols, authentication and encryption
algorithms, and the encapsulation mode.
3.
Configure an IPsec policy to associate data flows with the IPsec transform sets, specify the SA
negotiation mode, the peer IP addresses (the start and end points of the IPsec tunnel), the
required keys, and the SA lifetime.
An IPsec policy is a set of IPsec policy entries that have the same name but different sequence
numbers. In the same IPsec policy, an IPsec policy entry with a smaller sequence number has
a higher priority.
4.
Apply the IPsec policy to an interface.
Complete the following tasks to configure ACL-based IPsec:
Tasks at a glance
(Required.)
(Required.)
(Required.) Configure an IPsec policy (use either method):
•
Configuring a manual IPsec policy
•
Configuring an IKE-based IPsec policy
(Required.)
(Optional.)
Enabling ACL checking for de-encapsulated packets
(Optional.)
Configuring IPsec anti-replay
(Optional.)
Configuring IPsec anti-replay redundancy
(Optional.)
Binding a source interface to an IPsec policy
(Optional.)
Enabling QoS pre-classify
(Optional.)
Enabling logging of IPsec packets
(Optional.)
Configuring the DF bit of IPsec packets
(Optional.)
Configuring IPsec RRI
"Implementing ACL-based
Configuring an ACL
Configuring an IPsec transform set
Applying an IPsec policy to an interface
IPsec"). The IPsec tunnel establishment steps are the
"Configuring IPsec for
"Configuring IPsec for IPv6 routing
346
tunnels"). This IPsec implementation
protocols."
Advertisement
Table of Contents
Troubleshooting
Need help?
Do you have a question about the FlexNetwork MSR Series and is the answer not in the manual?