Protocols and standards, Ipsec implementation, Configuring acl-based ipsec in the web interface – H3C Technologies H3C SecPath F1000-E User Manual

157

As shown in

Figure 99

, Device A and Device B form a stateful failover system through a backup link. After

the election process supported by the VRRP mechanism, Device A becomes the master. When Device A
works normally, it establishes an IPsec tunnel to Device C, and synchronizes its IPsec service data to

Device B. The synchronized IPsec service data includes the IKE SA, IPsec SAs, the anti-replay sequence

number and window, the SA lifetime in units of bytes, and the DPD packet sequence number. Based on

the IPsec service data, Device B generates its own IKE SA and IPsec SAs, which are called the standby
IKE SA and standby IPsec SAs, in contrast with the active IKE SA and active IPsec SAs on Device A. When

Device A fails, the VRRP mechanism switches IPsec traffic from Device A to Device B. Because Device B

has a copy of Device A’s IPsec service data, Device B can process IPsec traffic immediately, providing

uninterrupted IPsec service.

Protocols and standards

•

RFC 2401, Security Architecture for the Internet Protocol

•

RFC 2402, IP Authentication Header

•

RFC 2406, IP Encapsulating Security Payload

•

RFC 4552, Authentication/Confidentiality for OSPFv3

IPsec implementation

IPsec can be implemented based on ACLs, tunnel interfaces, or applications:

•

ACL-based IPsec uses ACLs to identify the data flows to be protected. To implement ACL-based IPsec,
configure IPsec policies, reference ACLs in the policies, and apply the policies to physical interfaces

(see "

Configuring ACL-based IPsec in the Web interface

"). By using ACLs, you can customize IPsec

policies as needed, implementing IPsec flexibly.

•

Tunnel interface-based IPsec, or routing-based IPsec, depends on the routing mechanism to select
the data flows to be protected. To implement tunnel interface-based IPsec, configure IPsec profiles

and apply them to IPsec tunnel interfaces (see "

Configuring tunnel interface-based IPsec

"). By using

IPsec profiles, this IPsec implementation method simplifies IPsec VPN configuration and

management, and improves the scalability of large VPN networks.

•

Application-based IPsec protects the packets of a service. This IPsec implementation method can be
used to protect IPv6 routing protocols. It does not require any ACL, nor does it depend on the

routing mechanism. To configure service-based IPsec, configure manual IPsec policies and bind the
policies to an IPv6 routing protocol. See "

Configuring IPsec for IPv6 routing protocols

."

Configuring ACL-based IPsec in the Web interface

Configuration considerations

1.

Configure ACLs for identifying data flows to be protected.

2.

Configure IPsec proposals to specify the security protocols, authentication and encryption
algorithms, and encapsulation mode.

3.

Configure IPsec policies to associate data flows with IPsec proposals and specify the SA
negotiation mode, the peer IP addresses (the start and end points of the IPsec tunnel), the required

keys, and the SA lifetime.