Configuration considerations, Recommended configuration procedure – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 869
848
•
If you enable both IPsec and QoS on an interface, traffic of an IPsec SA may be put into different
queues by QoS, causing some packets to be sent out of order. As IPsec performs anti-replay
operation, packets outside the anti-replay window in the inbound direction may be discarded,
resulting in packet loss. When using IPsec together with QoS, make sure they use the same
classification rules. IPsec classification rules depend on the referenced ACL rules.
Configuration considerations
You configure IPsec tunnels on the device by configuring IPsec polices. The IPsec policies use ACLs to
identify protected traffic, and take effect after being applied to physical interfaces.
Configure IPsec policies by using the following steps:
1.
Configure ACLs for identifying the data flows to be protected by IPsec.
2.
Configure IPsec proposals to specify the security protocols, authentication and encryption
algorithms, and encapsulation mode. An IPsec proposal applies to data flows associated with it.
3.
Configure IPsec policies to associate data flows with IPsec proposals and specify the SA
negotiation mode, the start and end points of the IPsec tunnels, the privacy keys, and the SA
lifetime.
4.
Apply the IPsec policies to interfaces.
Recommended configuration procedure
Step Remarks
Required.
Configure ACLs to identify the data flows to be protected by IPsec.
2. Configuring an IPsec proposal
Required.
An IPsec proposal defines a set of security parameters for IPsec SA
negotiation, including the security protocol, encryption and
authentication algorithms, and encapsulation mode.
IMPORTANT:
Changes to an IPsec proposal affect only SAs negotiated after the
changes are made.
3. Configuring an IPsec policy
Required if you are using an IPsec policy template group to create an
IPsec policy.
An IPsec policy template group is a collection of IPsec policy templates
with the same name but different sequence numbers. In an IPsec policy
template group, an IPsec policy template with a smaller sequence
number has a higher priority.
- H3C WX5500E Series Access Controllers H3C WX3500E Series Access Controllers H3C WX2500E Series Access Controllers H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C LSUM3WCMD0 Access Controller Module H3C LSUM1WCME0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module