Configuring acls – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

849

Step Remarks

4. Configuring an IPsec policy

Required.
Configure an IPsec policy by specifying the parameters directly or using

a created IPsec policy template. The device supports only IPsec policies
that use IKE.
An IPsec policy group is a collection of IPsec policies with the same
name but different sequence numbers. The smaller the sequence

number, the higher the priority of the IPsec policy in the policy group.

IMPORTANT:

An IPsec policy referencing a template cannot be used to initiate SA

negotiations but can be used to respond to a negotiation request. The

parameters specified in the IPsec policy template must match those of the
remote end. The parameters not defined in the template are determined

by the initiator.

5. Applying an IPsec policy group

Required.
Apply an IPsec policy group to an interface (logical or physical) to
protect certain data flows.

6. Viewing IPsec SAs

Optional.
View brief information about established IPsec SAs to verify your
configuration.

7. Viewing packet statistics

Optional.
View packet statistics to verify your configuration.

Configuring ACLs

For more information about ACL configuration, see "QoS > ACL IPv4," and "QoS > ACL IPv6."
If you enable both IPsec and QoS on an interface, traffic of an IPsec SA may be put into different queues

by QoS, causing some packets to be sent out of order. Because IPsec performs anti-replay operation,

packets outside the anti-replay window in the inbound direction may be discarded, resulting in packet

loss. When using IPsec together with QoS, make sure that they use the same classification rules. IPsec

classification rules depend on the referenced ACL rules. For more information about QoS classification
rules, see "Configuring QoS."
When defining ACL rules for IPsec, follow these guidelines:

•

Make sure that only the data flows to be protected by IPsec are defined in permit statements. If a
packet is protected at the entry of the IPsec tunnel but not at the exit of the IPsec tunnel, it will be

dropped.

•

Avoid statement conflicts in the scope of IPsec policy groups. When creating a deny statement, be

careful with its matching scope and matching order relative to permit statements. The policies in an
IPsec policy group have different match priorities. ACL rule conflicts between them are prone to

cause mistreatment of packets. For example, when configuring a permit statement for an IPsec

policy to protect an outbound traffic flow, you must avoid the situation that the traffic flow matches

a deny statement in a higher priority IPsec policy. Otherwise, the packets will be sent out as normal
packets; if they match a permit statement at the receiving end, they will be dropped by IPsec.