Table of Contents
Advertisement
3Com Router 3000 Ethernet Family
Configuration Guide
Table 7-21 Use IPSec policy group
Use the IPSec policy group
Remove the IPSec policy group in use
An interface can only use one IPSec policy group. Only ISAKMP IPSec policy group
can be used on more than one interface. A manually configured IPSec policy group can
only be used on one interface.
When packet transmitted from an interface, each IPSec policy in the IPSec policy group
will be searched according to sequence numbers in ascending order. If an access
control list referenced by the IPSec policy permits a packet, the packet will be
processed by this IPSec policy. If the packet is not permitted, keep on searching the
next IPSec policy. If the packet is not permitted by any access control list referenced by
the IPSec policy, it will be directly transmitted (IPSec does not protect the packet).
Huawei's IPSec policy implementation can not only apply on practical physical ports
such as serial ports and Ethernet ports, but also on virtual interfaces such as Tunnel
and Virtual Template. In this way, IPSec can be applied on tunnels like GRE and L2TP
according to the practical networking requirement.
7.2.6 Disabling Next-Payload Field Checking
An IKE negotiation packet comprises multiple payloads; the next-payload field is in the
generic header of the last payload. According to the protocol, this field should be set to
0. It however may vary by vendor. For compatibility sake, you can use the ike
next-payload check disabled command to ignore this field during IPSec negotiation.
Table 7-22 Disable the router to check the next-payload field
Disable
next-payload field in the last payload of the
IKE negotiation packet during IPSec
negotiation
Remove the default
By default, the router checks the next-payload field in the last payload of the IKE
negotiation packet during IPSec negotiation.
Operation
Operation
the
router
to
check
3Com Corporation
ipsec policy policy-name
undo ipsec policy [ policy-name ]
the
ike next-payload check disabled
undo
ike
disabled
7-23
Chapter 7 IPSec Configuration
Command
Command
next-payload
check
Advertisement
Chapters
Table of Contents
Troubleshooting
