Protection modes, Configuring an ipsec proposal, Configuring an ipsec – H3C Technologies H3C SecPath F1000-E User Manual

162

Figure 107 Non-mirror image ACLs

Protection modes

Data flows can be protected in the following modes:

•

Standard mode—One tunnel is used to protect one data flow. The data flow permitted by each ACL
rule is protected by one tunnel that is established separately for it.

•

Aggregation mode—One tunnel is used to protect all data flows permitted by all the rules of an ACL.
This mode applies to only scenarios that use IKE for negotiation.

For more information about ACL configuration, see Access Control Configuration Guide.
To use IPsec in combination with QoS, make sure that IPsec's ACL classification rules match the QoS

classification rules. If the rules do not match, QoS may classify the packets of one IPsec SA to different

queues, causing packets to be sent out of order. When the anti-replay function is enabled, IPsec will

discard the packets beyond the anti-replay window in the inbound direction, resulting in packet loss. For
more information about QoS classification rules, see Network Management Configuration Guide.

Configuring an IPsec proposal

1.

Select VPN > IPSec > Proposal from the navigation tree to enter the IPsec proposal management
page.

Figure 108 IPsec proposal list

2.

Click Add to enter the IPsec proposal configuration wizard page.
The Web interface provides two modes for configuring an IPsec proposal: suite mode and custom
mode. The suite mode allows you to select a pre-defined encryption suite. The custom mode allows

you to configure IPsec proposal parameters discretionarily.