beautypg.com

Configuration considerations, Recommended configuration procedure – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 869

background image

848

If you enable both IPsec and QoS on an interface, traffic of an IPsec SA may be put into different

queues by QoS, causing some packets to be sent out of order. As IPsec performs anti-replay
operation, packets outside the anti-replay window in the inbound direction may be discarded,

resulting in packet loss. When using IPsec together with QoS, make sure they use the same

classification rules. IPsec classification rules depend on the referenced ACL rules.

Configuration considerations

You configure IPsec tunnels on the device by configuring IPsec polices. The IPsec policies use ACLs to

identify protected traffic, and take effect after being applied to physical interfaces.
Configure IPsec policies by using the following steps:

1.

Configure ACLs for identifying the data flows to be protected by IPsec.

2.

Configure IPsec proposals to specify the security protocols, authentication and encryption
algorithms, and encapsulation mode. An IPsec proposal applies to data flows associated with it.

3.

Configure IPsec policies to associate data flows with IPsec proposals and specify the SA
negotiation mode, the start and end points of the IPsec tunnels, the privacy keys, and the SA
lifetime.

4.

Apply the IPsec policies to interfaces.

Recommended configuration procedure

Step Remarks

1. Configuring ACLs

Required.
Configure ACLs to identify the data flows to be protected by IPsec.

2. Configuring an IPsec proposal

Required.
An IPsec proposal defines a set of security parameters for IPsec SA
negotiation, including the security protocol, encryption and

authentication algorithms, and encapsulation mode.

IMPORTANT:

Changes to an IPsec proposal affect only SAs negotiated after the

changes are made.

3. Configuring an IPsec policy

template

Required if you are using an IPsec policy template group to create an
IPsec policy.
An IPsec policy template group is a collection of IPsec policy templates
with the same name but different sequence numbers. In an IPsec policy

template group, an IPsec policy template with a smaller sequence
number has a higher priority.