Acl-based ipsec, Application-based ipsec, Protocols and standards – H3C Technologies H3C S6300 Series Switches User Manual

221

ACL-based IPsec

To implement ACL-based IPsec, configure an ACL to define the data flows to be protected, reference the

ACL in an IPsec policy, and then apply the IPsec policy to an interface. When packets sent by the
interface match the permit rule of the ACL, the packets are protected by the outbound IPsec SA and

encapsulated with IPsec. When the interface receives an IPsec packet whose destination address is the

IP address of the local device, it searches for the inbound IPsec SA according to the SPI carried in the

IPsec packet header for de-encapsulation. If the de-encapsulated packet matches the permit rule of the
ACL, the device processes the packet. Otherwise, it drops the packet.
The device supports the following data flow protection modes:

•

Standard mode—One IPsec tunnel protects one data flow. The data flow permitted by an ACL rule
is protected by one IPsec tunnel that is established solely for it.

•

Aggregation mode—One IPsec tunnel protects all data flows permitted by all the rules of an ACL.
This mode is only used to communicate with old-version devices.

•

Per-host mode—One IPsec tunnel protects one host-to-host data flow. One host-to-host data flow is
identified by one ACL rule and protected by one IPsec tunnel established solely for it. This mode
consumes more system resources when multiple data flows exist between two subnets to be

protected.

Application-based IPsec

This IPsec implementation method does not require any ACL. All packets of the application bound to an

IPsec policy are encapsulated with IPsec, and all packets of the applications that are not bound with IPsec
and the IPsec packets that failed to be de-encapsulated are dropped.
You can use IPsec to protect an IPv6 routing protocol by using this method. The supported IPv6 routing

protocol is RIPng.
In one-to-many communication scenarios, you must configure manual IPsec SAs for an IPv6 routing
protocol because of the following reasons:

•

The automatic key exchange mechanism is only used to protect communications between two
points. In one-to-many communication scenarios, automatic key exchange cannot be implemented.

•

One-to-many communication scenarios require that all the devices use the same SA parameters (SPI
and key) to receive and send packets. IKE negotiated SAs cannot meet this requirement.

Protocols and standards

•

RFC 2401, Security Architecture for the Internet Protocol

•

RFC 2402, IP Authentication Header

•

RFC 2406, IP Encapsulating Security Payload

IPsec tunnel establishment

IPsec tunnels can be established in different methods. Choose a correct method to establish IPsec tunnels

according to your network conditions:

•

ACL-based IPsec tunnel—Protects packets identified by an ACL. To establish an ACL-based IPsec

tunnel, configure an IPsec policy, reference an ACL in the policy, and apply the policy to an
interface (see "

Implementing ACL-based IPsec

"). The IPsec tunnel establishment steps are the same

in an IPv4 network and in an IPv6 network.