Configuring acl-based ipsec at the cli, Configuration task list, Configuring acls – H3C Technologies H3C SecPath F1000-E User Manual
Page 185: Keywords in acl rules
173
Configuring ACL-based IPsec at the CLI
Configuration task list
Task Remarks
Required
Basic IPsec configuration
Applying an IPsec policy group to an interface
Enabling the encryption engine
Required
Enabling ACL checking of de-encapsulated IPsec packets
Optional
Configuring the IPsec anti-replay function
Optional
Configuring packet information pre-extraction
Optional
Optional
Optional
Configuring IPsec stateful failover
Optional
IMPORTANT:
Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and
50 respectively. Make sure that flows of these protocols are not denied on the interfaces with IKE or IPsec
configured.
Configuring ACLs
ACLs can be used to identify traffic. They are widely used in scenarios where traffic identification is
desired, such as QoS and IPsec.
Keywords in ACL rules
IPsec uses ACLs to identify data flows. An ACL is a collection of ACL rules. Each ACL rule is a deny or
permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement
identifies a data flow that is not protected by IPsec. With IPsec, a packet is matched against the
referenced ACL rules and processed according to the first rule that it matches:
•
Each ACL rule matches both the outbound traffic and the returned inbound traffic. Suppose there is
a rule rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255. This rule matches
both traffic from 1.1.1.0 to 2.2.2.0 and traffic from 2.2.2.0 to 1.1.1.0.
•
In the outbound direction, if a permit statement is matched, IPsec considers that the packet requires
protection and continues to process it. If a deny statement is matched or no match is found, IPsec
considers that the packet does not require protection and delivers it to the next function module.
•
In the inbound direction, all IPsec packets matching a permit statement are processed by IPsec, and
all non-IPsec packets that match a permit statement are discarded.
When defining ACL rules for IPsec, follow these guidelines:
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS