beautypg.com

Applying a qos policy to an ipsec tunnel interface, Configuring ipsec for ipv6 routing protocols – H3C Technologies H3C SecPath F1000-E User Manual

Page 202

background image

190

CAUTION:

When the QoS policy applied to the physical outbound interface provides congestion management, IPsec
packets arriving at the destination may be out of order. This may cause IPsec out of order to be dropped
by the IPsec anti-replay function. For more information, see "

Configuring the IPsec anti-replay function

."

Applying a QoS policy to an IPsec tunnel interface

The device allows you to apply a QoS policy to the IPsec tunnel interface. In this case, QoS is performed

before IPsec encapsulation, and the priority of a resulting packet is the same as that of the original packet.
In addition, the QoS congestion management is done to the packets before encapsulation, avoiding the

disorder of IPsec packets.
This method is much more explicit and flexible than the QoS implementation method of enabling packet

information pre-extraction on the IPsec tunnel interface, which requires applying a QoS policy to the
physical outbound interface.
To apply a QoS policy to an IPsec tunnel interface:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter tunnel interface view.

interface tunnel number N/A

3.

Apply a QoS policy to the

IPsec tunnel interface.

qos apply policy policy-name
{ inbound | outbound }

For more information about this
command, see Network

Management Command

Reference.

Configuring IPsec for IPv6 routing protocols

NOTE:

The IPsec for IPv6 routing protocols configuration is available only at the CLI.

The following is the generic configuration procedure for configuring IPsec for IPv6 routing protocols:

1.

Configure an IPsec proposal to specify the security protocols, authentication and encryption
algorithms, and encapsulation mode.

2.

Configure a manual IPsec policy to specify the keys and SPI.

3.

Apply the IPsec policy to an IPv6 routing protocol.

Complete the following tasks to configure IPsec for IPv6 routing protocols:

Task Remarks

Configuring an IPsec proposal

Required.

Configuring a manual IPsec policy

Required.
ACLs and IPsec tunnel addresses are not needed.