Verification, Configuration guidelines – H3C Technologies H3C SecPath F1000-E User Manual

23

•

Type map1 as the policy name.

•

Type 10 as the sequence number.

•

Select the IKE peer of peer.

•

Select the IPsec proposal of tran1 and click <<.

•

Type 3101 as the ACL.

•

Click Apply.

# Apply IPsec policy map1 to GigabitEthernet 0/1.

•

Select VPN > IPSec > IPSec Application from the navigation tree, and then click the icon of

interface GigabitEthernet 0/1.

•

Select the policy of map1.

•

Click Apply.

Verification

After above configuration, packets to be exchanged between subnet 10.1.1.0/24 and subnet

10.1.2.0/24 triggers the negotiation of SAs by IKE. After IKE negotiation succeeds and the IPsec SAs are

established, traffic between subnet 10.1.1.0/24 and subnet 10.1.2.0/24 is protected by IPsec.

Configuration Guidelines

When configuring IPsec, follow these guidelines:

•

Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51

and 50 respectively. Therefore, you need to make sure that flows of these protocols are not denied
on the interfaces with IKE and/or IPsec configured.

•

If you enable both IPsec and QoS on an interface, traffic of an IPsec SA may be put into different
queues by QoS, causing some packets to be sent out of order. As IPsec performs anti-replay

operation, packets outside the anti-replay window in the inbound direction may be discarded,

resulting in packet loss. Therefore, when using IPsec together with QoS, ensure that they use the

same classification rules. IPsec classification rules depend on the referenced ACL rules.