Recommended configuration procedure – H3C Technologies H3C SecPath F1000-E User Manual

Page 170

158

Apply the IPsec policies to interfaces to finish IPsec configuration.

Recommended configuration procedure

Step Remarks

1. Configuring ACLs

Required.
Configure ACLs to identify the data flows to be protected by IPsec.

IMPORTANT:

This document introduces only how to reference ACLs in IPsec. To create ACLs,

select Firewall > ACL from the navigation tree. For more information about the

procedure, see

Access Control Configuration Guide

2. Configuring an IPsec

proposal

Required.
An IPsec proposal defines a set of security parameters for IPsec SA
negotiation, including the security protocol, encryption and authentication

algorithms, and encapsulation mode.

IMPORTANT:

Changes to an IPsec proposal affect only SAs negotiated after the changes are

made.

3. Configuring an IPsec

policy template

Required if you are using an IPsec policy template group to create an IPsec
policy.
An IPsec policy template group is a collection of IPsec policy templates with

the same name but different sequence numbers. In an IPsec policy template
group, an IPsec policy template with a smaller sequence number has a higher

priority.

4. Configuring an IPsec

policy

Required.
Configure an IPsec policy by specifying the parameters directly or using a
created IPsec policy template. The firewall supports only IPsec policies that

use IKE.
An IPsec policy group is a collection of IPsec policies with the same name but

different sequence numbers. The smaller the sequence number, the higher the
priority of the IPsec policy in the policy group.

IMPORTANT:

An IPsec policy referencing a template cannot be used to initiate SA

negotiations but can be used to respond to a negotiation request. The

parameters specified in the IPsec policy template must match those of the remote
end. The parameters not defined in the template are determined by the initiator.

5. Applying an IPsec policy

group

Required.
Apply an IPsec policy group to an interface (logical or physical) to protect

certain data flows.

6. Displaying IPsec SAs

Optional.
View brief information about established IPsec SAs to verify your

configuration.

7. Displaying packet

statistics

Optional.
View packet statistics to verify your configuration.

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS