beautypg.com

Implementing acl-based ipsec, Feature restrictions and guidelines, Acl-based ipsec configuration task list – H3C Technologies H3C S6300 Series Switches User Manual

Page 237

background image

222

Application-based IPsec tunnel—Protects the packets of an application. This method can be used to

protect IPv6 routing protocols. It does not require any ACL. To establish application-based IPsec
tunnels, configure manual IPsec profiles and bind the profiles to an IPv6 routing protocol. For more

information about IPv6 routing protocols, see "

Configuring IPsec for IPv6 routing protocols

."

Implementing ACL-based IPsec

Feature restrictions and guidelines

ACLs for IPsec take effect only on traffic that is generated by the device and traffic that is destined for the

device. They do not take effect on traffic forwarded through the device. For example, an ACL-based IPsec
tunnel can protect log messages the device sends to a log server, but it cannot protect all the data flows

and voice flows that are forwarded by the device. For more information about configuring an ACL for

IPsec, see "

Configuring an ACL

."

Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and
50. Make sure traffic of these protocols is not denied on the interfaces with IKE or IPsec configured.

ACL-based IPsec configuration task list

The generic configuration procedure for implementing ACL-based IPsec is as follows:

1.

Configure an ACL for identifying data flows to be protected.

2.

Configure IPsec transform sets to specify the security protocols, authentication and encryption

algorithms, and the encapsulation mode.

3.

Configure an IPsec policy to associate data flows with the IPsec transform sets, specify the SA
negotiation mode, the peer IP addresses (the start and end points of the IPsec tunnel), the required

keys, and the SA lifetime.
An IPsec policy is a set of IPsec policy entries that have the same name but different sequence
numbers. In the same IPsec policy, an IPsec policy entry with a smaller sequence number has a

higher priority.

4.

Apply the IPsec policy to an interface.

Complete the following tasks to configure ACL-based IPsec:

Tasks at a glance

(Required.)

Configuring an ACL

(Required.)

Configuring an IPsec transform set

(Required.) Configure an IPsec policy (use either method):

Configuring a manual IPsec policy

Configuring an IKE-based IPsec policy

(Required.)

Applying an IPsec policy to an interface

(Optional.)

Enabling ACL checking for de-encapsulated packets

(Optional.)

Configuring the IPsec anti-replay function

(Optional.)

Binding a source interface to an IPsec policy

(Optional.)

Enabling QoS pre-classify

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: