beautypg.com

Configuring packet information pre-extraction, Implementing tunnel interface-based ipsec, Ipsec configuration task list – H3C Technologies H3C SecPath F1000-E User Manual

Page 147

background image

19

IPsec anti-replay checking does not affect IPsec SAs created manually.

Configuring Packet Information Pre-Extraction

If you apply both an IPsec policy and QoS policy to an interface, by default, the interface first uses IPsec

and then QoS to process IP packets, and QoS classifies packets by the headers of IPsec-encapsulated

packets. If you want QoS to classify packets by the headers of the original IP packets, enable the packet

information pre-extraction feature.
For details about QoS policy and classification, refer to QoS in the Firewall WEB.
Follow these steps to configure packet information pre-extraction:

To do…

Use the command…

Remarks

Enter system view

system-view

ipsec policy policy-name
seq-number [ isakmp | manual ]

Enter IPsec policy view or IPsec
policy template view

ipsec policy-template
template-name seq-number

Required
Configure either command

Enable packet information
pre-extraction

qos pre-classify

Required
Disabled by default

Implementing Tunnel Interface-Based IPsec

IPsec Configuration Task List

The following is the generic configuration procedure for implementing tunnel interface-based IPsec:

1.

Configure a security proposal, including the security protocol, authentication and encryption
algorithm, and encapsulation mode. A security proposal will apply to data flows associated with

it.

2.

Configure an IPsec profile to associate data flows with the IPsec proposal, specify the IKE peer
parameters and the SA lifetime.

3.

Configure an IPsec tunnel interface and apply the IPsec profile to the interface.

NOTE:

Because packets routed to the IPsec tunnel interface are all protected, the data protection scope, which is
required for IPsec policy configuration, is not needed in the IPsec profile.

Complete the following tasks to configure tunnel interface-based IPsec:

Task Remarks

Configuring an IPsec Proposal

Required
An IPsec proposal for the IPsec
tunnel interface to reference

supports tunnel mode only.

Configuring an IPsec Profile

Required

Configuring an IPsec Tunnel Interface

Required

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: