beautypg.com

Implementing acl-based ipsec, Ipsec configuration task list, Configuring acls – H3C Technologies H3C SecPath F1000-E User Manual

Page 135: Keywords in acl rules

background image

7

applying a manual IPsec policy to a certain IPv6 routing protocol, the packets of that protocol are

IPsec protected. For configuration details, refer to

Configuring IPsec for IPv6 Routing Protocols

:

Implementing ACL-Based IPsec

IPsec Configuration Task List

The following is the generic configuration procedure for implementing ACL-based IPsec:

1.

Configure ACLs for identifying data flows to be protected.

2.

Configure security proposals, sets of the security protocols, authentication and encryption
algorithms, and encapsulation mode. A security proposal will apply to data flows associated with

it.

3.

Configure IPsec policies to associate data flows with IPsec proposal and specify the SA
negotiation mode, peer IP addresses (namely the start and end points of the IPsec tunnel), required

keys, and SA lifetime.

4.

Apply the IPsec policies to interfaces to finish IPsec configuration.

Complete the following tasks to configure ACL-based IPsec:

Task Remarks

Configuring ACLs

Configuring an IPsec Proposal

Configuring an IPsec Policy

Applying an IPsec Policy Group to an Interface

Required
Basic IPsec configuration

Enabling the Encryption Engine

Required

Enabling ACL Checking of De-Encapsulated IPsec Packets

Optional

Configuring the IPsec Anti-Replay Function

Optional

Configuring Packet Information Pre-Extraction

Optional

CAUTION:

Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and
50 respectively. Make sure that flows of these protocols are not denied on the interfaces with IKE and/or

IPsec configured.

Configuring ACLs

ACLs can be used to identify traffic. They are widely used in scenarios where traffic identification is

desired, such as QoS and IPsec.

Keywords in ACL rules

IPsec uses ACLs to identify data flows. An ACL is a collection of ACL rules. Each ACL rule contains a

deny or permit keyword and is regarded as a deny or permit statement. A rule with the permit keyword

identifies a data flow to be protected by IPsec, while a rule with the deny keyword identifies a data flow
that does not need to be protected by IPsec. With IPsec, a packet is matched against the referenced ACL

rules and processed according to the first rule that it matches:

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: