R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

261

262

263

264

265

266

267

268

269

270

247

ACL-based IPsec and Tunnel interface-based IPsec are available for both IPv4 and IPv6 packets, and the

configuration procedures are the same for IPv4 and IPv6.

Implementing ACL-based IPsec

The following is the generic configuration procedure for implementing ACL-based IPsec:

1. Configure an ACL for identifying data flows to be protected.

2. Configure IPsec transform sets to specify the security protocols, authentication and encryption

algorithms, and encapsulation mode.

3. Configure an IPsec policy group to associate data flows with the IPsec transform sets and specify

the SA negotiation mode, the peer IP addresses (the start and end points of the IPsec path), the

required keys, and the SA lifetime.

4. Apply the IPsec policies to interfaces to finish IPsec configuration.

Complete the following tasks to configure ACL-based IPsec:

Task Remarks

Configuring an ACL

Required.

Basic IPsec configuration.

Configuring an IPsec transform set

Configuring an IPsec policy

Applying an IPsec policy group to an interface

Enabling the encryption engine Optional.

Enabling ACL checking of de-encapsulated IPsec packets Optional.

Configuring the IPsec anti-replay function Optional.

Configuring packet information pre-extraction Optional.

Enabling invalid SPI recovery Optional.

Configuring IPsec RRI Optional.

Enabling IPsec packet fragmentation before/after encryption Optional.

Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and

50 respectively. Make sure that flows of these protocols are not denied on the interfaces with IKE or IPsec

configured.

Configuring an ACL

ACLs can be used to identify traffic. They are widely used in scenarios where traffic identification is

desired, such as QoS and IPsec.

Keywords in ACL rules

IPsec uses ACLs to identify data flows. An ACL is a collection of ACL rules. Each ACL rule is a deny or

permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement

identifies a data flow that is not protected by IPsec. With IPsec, a packet is matched against the

referenced ACL rules and processed according to the first rule that it matches: