Applying an ipsec policy to an interface, Enabling acl checking for de-encapsulated packets, Required.) – H3C Technologies H3C S6300 Series Switches User Manual

231

Step Command

Remarks

13.

(Optional.) Enable the global
IPsec SA idle timeout function,

and set the global SA idle
timeout.

ipsec sa idle-time seconds

By default, the global IPsec SA idle
timeout function is disabled.

14.

Create an IPsec policy by
referencing the IPsec policy

template.

ipsec { ipv6-policy | policy }
policy-name seq-number isakmp

template template-name

By default, no IPsec policy exists.

Applying an IPsec policy to an interface

You can apply an IPsec policy to an interface to protect certain data flows. To cancel the IPsec protection,

remove the application of the IPsec policy. In addition to VLAN interfaces, you can apply an IPsec policy

to tunnel interfaces to protect applications such as GRE.
For each packet to be sent out of an interface applied with an IPsec policy, the interface looks through the
IPsec policy entries in the IPsec policy in ascending order of sequence numbers. If the packet matches the

ACL of an IPsec policy entry, the interface uses the IPsec policy entry to protect the packet. If no match is

found, the interface sends the packet out without IPsec protection.
When the interface receives an IPsec packet whose destination address is the IP address of the local
device, it searches for the inbound IPsec SA according to the SPI carried in the IPsec packet header for

de-encapsulation. If the de-encapsulated packet matches the permit rule of the ACL, the device processes

the packet. Otherwise, it drops the packet.
An interface can reference only one IPsec policy. An IKE-based IPsec policy can be applied to more than
one interface, but a manual IPsec policy can be applied to only one interface.
To apply an IPsec policy to an interface:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter interface view.

interface interface-type

interface-number

N/A

3.

Apply an IPsec policy to the

interface.

ipsec apply { policy | ipv6-policy }
policy-name

By default, no IPsec policy is
applied to the interface.
An interface can reference only
one IPsec policy.
An IKE-mode IPsec policy can be
applied to multiple interfaces, and

a manual IPsec policy can be
applied to only one interface.

Enabling ACL checking for de-encapsulated packets

This feature uses the ACL in the IPsec policy to match the IP packets that are de-encapsulated from
incoming IPsec packets in tunnel mode, and it discards the IP packets that fail to match the ACL to avoid

attacks using forged packets.
To enable ACL checking for de-encapsulated packets: