Applying an ipsec policy group to an interface, Enabling the encryption engine – H3C Technologies H3C SecPath F1000-E User Manual
Page 144
16
•
An IPsec policy can reference only one ACL. If you apply multiple ACLs to an IPsec policy, only the last
one takes effect.
•
With SAs to be established through IKE negotiation, an IPsec policy can reference up to six IPsec
proposals. During negotiation, IKE searches for a fully matched IPsec proposal at the two ends of the
expected IPsec tunnel. If no match is found, no SA can be set up and the packets expecting to be
protected will be dropped.
•
When IKE uses an IPsec policy with PFS enabled to initiate negotiation, an additional key exchange is
performed. If the local end uses PFS, the remote end must also use PFS for negotiation and both ends
must use the same Diffie-Hellman (DH) group; otherwise, the negotiation will fail.
•
An SA use the global lifetime when it is not configured with a lifetime in IPsec policy view. When
negotiating to set up SAs, IKE uses the lifetime set locally or the lifetime proposed by the peer, whichever
is smaller.
•
You cannot change the creation mode of an IPsec policy between the two, directly configuration and
configuration by referencing an IPsec policy template. To create an IPsec policy in another creation
mode, delete the current one and then configure a new IPsec policy.
Applying an IPsec Policy Group to an Interface
An IPsec policy group is a collection of IPsec policies with the same name but different sequence numbers.
In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.
You can apply an IPsec policy group to an interface (logical or physical) to protect certain data flows. To
cancel the IPsec protection, remove the application of the IPsec policy group.
For each packet to be sent out an IPsec protected interface, the system checks the IPsec policies of the
IPsec policy group in the ascending order of sequence numbers. If it finds an IPsec policy whose ACL
matches the packet, it uses the IPsec policy to protect the packet. If it finds no ACL of the IPsec policies
matches the packet, it does not provide IPsec protection for the packet and sends the packet out directly.
In addition to physical interfaces like Ethernet ports, an IPsec policy can be applied to virtual interfaces
such as tunnel interfaces and virtual template interfaces. Therefore, an IPsec policy can be used on
tunnels like GRE tunnels and L2TP tunnels as needed.
Follow these steps to apply an IPsec policy group to an interface:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type
interface-number
—
Apply an IPsec policy group to the
interface
ipsec policy policy-name Required
NOTE:
An interface can reference only one IPsec policy group. An IPsec policy established through IKE can be
applied to more than one interface, while a manual IPsec policy can be applied to only one interface.
Enabling the Encryption Engine
The encryption engine is a coprocessor that provides an encryption/decryption algorithm interface for
IPsec processing.