Applying An Ipsec Policy To An Interface - HPE Moonshot 45Gc Security Configuration Manual

Step
9. (Optional.) Specify the
remote IP address of the
IPsec tunnel.
10. Configure the IPsec SA
lifetime.
11. (Optional.) Set the IPsec SA
idle timeout.
12. (Optional.) Enable the Traffic
Flow Confidentiality (TFC)
padding feature.
13. Return to system view.
14. Configure the global SA
lifetime.
15. (Optional.) Enable the global
IPsec SA idle timeout
feature, and set the global
SA idle timeout.
16. Create an IPsec policy by
referencing the IPsec policy
template.

Applying an IPsec policy to an interface

You can apply an IPsec policy to an interface to protect certain data flows. To cancel the IPsec
protection, remove the application of the IPsec policy. In addition to VLAN interfaces, you can apply
an IPsec policy to tunnel interfaces to protect applications such as GRE.
For each packet to be sent out of an interface applied with an IPsec policy, the interface looks
through the IPsec policy entries in the IPsec policy in ascending order of sequence numbers. If the
packet matches the ACL of an IPsec policy entry, the interface uses the IPsec policy entry to protect
the packet. If no match is found, the interface sends the packet out without IPsec protection.
When the interface receives an IPsec packet whose destination address is the IP address of the
local device, it searches for the inbound IPsec SA according to the SPI carried in the IPsec packet
header for de-encapsulation. If the de-encapsulated packet matches the permit rule of the ACL, the
device processes the packet. Otherwise, it drops the packet.
An interface can reference only one IPsec policy. An IKE-based IPsec policy can be applied to more
than one interface, but a manual IPsec policy can be applied to only one interface.
To apply an IPsec policy to an interface:
Command
remote-address { [ ipv6 ]
host-name | ipv4-address | ipv6
ipv6-address }
sa duration { time-based
seconds | traffic-based
kilobytes }
sa idle-time seconds
tfc enable
quit
ipsec sa global-duration
{ time-based seconds |
traffic-based kilobytes }
ipsec sa idle-time seconds
ipsec { ipv6-policy | policy }
policy-name seq-number isakmp
template template-name
271
Remarks
address of the interface to which
the IPsec policy is applied.
The local IP address specified by
this command must be the same
as the IP address used as the
local IKE identity.
By default, the remote IP address
of the IPsec tunnel is not
specified.
By default, the global SA lifetime
settings are used.
By default, the global SA idle
timeout is used.
By default, the TFC padding
feature is disabled.
N/A
By default, time-based SA lifetime
is 3600 seconds, and
traffic-based SA lifetime is
1843200 kilobytes.
By default, the global IPsec SA
idle timeout feature is disabled.
By default, no IPsec policy exists.