H3C Technologies H3C SecPath F1000-E User Manual
Page 201
189
Step Command
Remarks
5.
Specify the source address or
interface of the tunnel
interface.
source { ip-address |
interface-type
interface-number }
By default, no source address or
interface is specified for a tunnel
interface.
If you specify an interface, the tunnel
interface will take the primary IP
address of the source interface.
6.
Specify the destination
address of the tunnel
interface.
destination ip-address
Optional for an IKE negotiation
responder, and required for an IKE
negotiation initiator
By default, no tunnel destination
address is configured.
7.
Apply an IPsec profile to the
tunnel interface.
ipsec profile profile-name
N/A
NOTE:
•
An IPsec profile can be applied to an IPsec tunnel interface only.
•
An IPsec tunnel interface can reference only one IPsec profile.
•
Apply an IPsec profile to only one IPsec tunnel interface. Although an IPsec profile can be applied to
multiple IPsec tunnel interfaces, it takes effect only on the IPsec tunnel interface that goes up first.
Enabling packet information pre-extraction on the IPsec tunnel
interface
Because packets that an IPsec tunnel interface passes to a physical interface are encapsulated, the QoS
module cannot obtain the 5-tuple (source IP, destination IP, source port, destination port, and protocol) of
the original packets. To address this problem, enable packet information pre-extraction on the tunnel
interface.
With packet information pre-extraction enabled, an IPsec tunnel interface buffers the IP 5-tuple data in
the original packets, so that the corresponding physical interface can perform QoS processing such as
traffic classification and IP precedence setting.
To implement QoS for IPsec packets, however, you also need to apply a QoS policy to the physical
outbound interface. For more information about how to apply a QoS policy to a physical interface, see
Network Management Configuration Guide.
To enable packet information pre-extraction on an IPsec tunnel interface:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter tunnel interface view.
interface tunnel number N/A
3.
Enable packet information
pre-extraction.
qos pre-classify
Disabled by default
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS