Protection modes, Configuring an ipsec proposal – H3C Technologies H3C SecPath F1000-E User Manual

10

Protection modes

Currently, data flows can be protected in two modes:

•

Standard mode: One tunnel is used to protect one data flow. That is, the data flow permitted by an
ACL rule is protected by one tunnel that is established separately for it.

•

Aggregation mode: One tunnel is used to protect all data flows permitted by all the rules of an ACL.
This mode applies to only scenarios using IKE for negotiation.

NOTE:
•

For more information about ACL configuration, refer to

ACL in the Firewall WEB.

•

When both IPsec and QoS are enabled on an interface, if QoS classifies the data flows of one IPsec SA
into different queues, part of packets may be sent out of order. In addition, IPsec will discard the packets
beyond the anti-replay window in the inbound direction based on its anti-replay function, resulting in

loss of those packets. Therefore, to use IPsec in combination with QoS, ensure that the IPsec classification

rules match the QoS classification rules. The IPsec classification rules depend on the referenced ACL
rules. For information about QoS classification rules, refer to

QoS in the Firewall WEB.

Configuring an IPsec Proposal

An IPsec proposal, part of a security policy or IPsec profile, defines the security parameters for IPsec SA

negotiation, including the security protocol, encryption/authentication algorithms, and encapsulation
mode.
Following these steps to configure an IPsec proposal:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Create an IPsec proposal and enter its
view

ipsec proposal
proposal-name

Required
By default, no IPsec proposal exists.

Specify the security protocol for the
proposal

transform { ah | ah-esp |
esp }

Optional
ESP by default

Specify the
security
algorithms

Specify the
encryption algorithm
for ESP

esp encryption-algorithm
{ 3des | aes [ key-length ] |
des }

Optional
DES by default