Ipsec configuration guidelines – H3C Technologies H3C SecPath F1000-E User Manual
Page 234
222
20004 192.168.0.2 RD 1 IPSEC STANDBY
20005 192.168.0.2 RD 2 IPSEC STANDBY
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
IPsec configuration guidelines
When you configure IPsec, follow these guidelines:
•
Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51
and 50 respectively. You must make sure that flows of these protocols are not denied on the
interfaces with IKE or IPsec configured.
•
If you enable both IPsec and QoS on an interface, traffic of an IPsec SA may be put into different
queues by QoS, causing some packets to be sent out of order. As IPsec performs anti-replay
operation, packets outside the anti-replay window in the inbound direction may be discarded,
resulting in packet loss. When using IPsec together with QoS, make sure that they use the same
classification rules. IPsec classification rules depend on the referenced ACL rules.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS