Applying a qos policy to an ipsec tunnel interface, Configuring ipsec for ipv6 routing protocols – H3C Technologies H3C SecPath F1000-E User Manual
Page 202
190
CAUTION:
When the QoS policy applied to the physical outbound interface provides congestion management, IPsec
packets arriving at the destination may be out of order. This may cause IPsec out of order to be dropped
by the IPsec anti-replay function. For more information, see "
Configuring the IPsec anti-replay function
Applying a QoS policy to an IPsec tunnel interface
The device allows you to apply a QoS policy to the IPsec tunnel interface. In this case, QoS is performed
before IPsec encapsulation, and the priority of a resulting packet is the same as that of the original packet.
In addition, the QoS congestion management is done to the packets before encapsulation, avoiding the
disorder of IPsec packets.
This method is much more explicit and flexible than the QoS implementation method of enabling packet
information pre-extraction on the IPsec tunnel interface, which requires applying a QoS policy to the
physical outbound interface.
To apply a QoS policy to an IPsec tunnel interface:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter tunnel interface view.
interface tunnel number N/A
3.
Apply a QoS policy to the
IPsec tunnel interface.
qos apply policy policy-name
{ inbound | outbound }
For more information about this
command, see Network
Management Command
Reference.
Configuring IPsec for IPv6 routing protocols
NOTE:
The IPsec for IPv6 routing protocols configuration is available only at the CLI.
The following is the generic configuration procedure for configuring IPsec for IPv6 routing protocols:
1.
Configure an IPsec proposal to specify the security protocols, authentication and encryption
algorithms, and encapsulation mode.
2.
Configure a manual IPsec policy to specify the keys and SPI.
3.
Apply the IPsec policy to an IPv6 routing protocol.
Complete the following tasks to configure IPsec for IPv6 routing protocols:
Task Remarks
Required.
Configuring a manual IPsec policy
Required.
ACLs and IPsec tunnel addresses are not needed.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS