beautypg.com

Configuring acl-based ipsec at the cli, Configuration task list, Configuring acls – H3C Technologies H3C SecPath F1000-E User Manual

Page 185: Keywords in acl rules

background image

173

Configuring ACL-based IPsec at the CLI

Configuration task list

Task Remarks

Configuring ACLs

Required
Basic IPsec configuration

Configuring an IPsec proposal

Applying an IPsec policy group to an interface

Enabling the encryption engine

Required

Enabling ACL checking of de-encapsulated IPsec packets

Optional

Configuring the IPsec anti-replay function

Optional

Configuring packet information pre-extraction

Optional

Enabling invalid SPI recovery

Optional

Configuring IPsec RRI

Optional

Configuring IPsec stateful failover

Optional

IMPORTANT:

Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and
50 respectively. Make sure that flows of these protocols are not denied on the interfaces with IKE or IPsec
configured.

Configuring ACLs

ACLs can be used to identify traffic. They are widely used in scenarios where traffic identification is

desired, such as QoS and IPsec.

Keywords in ACL rules

IPsec uses ACLs to identify data flows. An ACL is a collection of ACL rules. Each ACL rule is a deny or
permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement

identifies a data flow that is not protected by IPsec. With IPsec, a packet is matched against the

referenced ACL rules and processed according to the first rule that it matches:

Each ACL rule matches both the outbound traffic and the returned inbound traffic. Suppose there is
a rule rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255. This rule matches

both traffic from 1.1.1.0 to 2.2.2.0 and traffic from 2.2.2.0 to 1.1.1.0.

In the outbound direction, if a permit statement is matched, IPsec considers that the packet requires
protection and continues to process it. If a deny statement is matched or no match is found, IPsec

considers that the packet does not require protection and delivers it to the next function module.

In the inbound direction, all IPsec packets matching a permit statement are processed by IPsec, and
all non-IPsec packets that match a permit statement are discarded.

When defining ACL rules for IPsec, follow these guidelines: