Configuration task list, Configuring an ipsec profile – H3C Technologies H3C SecPath F1000-E User Manual
Page 198
186
Configuration task list
The following is the generic configuration procedure for implementing tunnel interface-based IPsec:
1.
Configure an IPsec proposal to specify the security protocols, authentication and encryption
algorithms, and encapsulation mode.
2.
Configure an IPsec profile to associate data flows with the IPsec proposal, and to specify the IKE
peer parameters and the SA lifetime.
3.
Configure an IPsec tunnel interface and apply the IPsec profile to the interface.
NOTE:
Because packets routed to the IPsec tunnel interface are all protected, the data protection scope, which is
required for IPsec policy configuration, is not needed in the IPsec profile.
Complete the following tasks to configure tunnel interface-based IPsec:
Task Remarks
Required.
An IPsec proposal for the IPsec
tunnel interface to reference
supports tunnel mode only.
Required.
Configuring an IPsec tunnel interface
Required.
Enabling packet information pre-extraction on the IPsec tunnel interface
Optional.
Applying a QoS policy to an IPsec tunnel interface
Optional.
Enabling the encryption engine
Optional.
Configuring the IPsec anti-replay function
Optional.
Configuring IPsec stateful failover
Optional.
Configuring an IPsec profile
As described previously, an IPsec policy is uniquely identified by its name and sequence number. An
IPsec policy group is a collection of IPsec policies with the same name but different sequence numbers.
In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority. After an
IPsec policy group is applied to an interface, for each packet arriving at the interface, the system checks
the IPsec policies of the IPsec policy group in the ascending order of sequence numbers. One IPsec tunnel
will be established for each data flow to be protected, and multiple IPsec tunnels may exist on an
interface.
An IPsec profile is similar to an IPsec policy. The difference is that an IPsec profile is uniquely identified
by its name and it does not support ACL configuration. An IPsec profile defines the IPsec proposal to be
used for protecting data flows, and specifies the parameters for IKE negotiation. After an IPsec profile is
applied to an IPsec tunnel interface, only one IPsec tunnel is set up to protect all data flows that are routed
to the tunnel.
IPsec profiles can be applied to only IPsec tunnel interfaces. The IPsec tunnel established using an IPsec
profile protects all IP data routed to the tunnel interface.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS