Manualshelf

R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
271272273274275276277278279280
258
For each packet to be sent out an IPsec protected interface, the system looks through the IPsec policies in
the IPsec policy group in ascending order of sequence numbers. If an IPsec policy matches the packet,
the system uses the IPsec policy to protect the packet. If no match is found, the system sends the packet out
without IPsec protection.
In addition to physical interfaces like serial and Ethernet ports, you can apply an IPsec policy to virtual
interfaces, such as tunnel and virtual template interfaces, to tunnel applications such as GRE and L2TP.
An interface can reference only one IPsec policy group. An IPsec policy that uses IKE can be applied to
more than one interface, but a manual IPsec policy can be applied to only one interface.
To apply an IPsec policy group to an interface:
Ste
p
Command
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Apply an IPsec policy group to the interface.
ipsec policy policy-name
Enabling the encryption engine
The encryption engine is a coprocessor that provides an encryption/decryption algorithm interface for
IPsec processing.
If the encryption engine is enabled, the engine takes over the responsibility of IPsec processing.
If the encryption engine is disabled or has failed but the IPsec module backup function is enabled, the
IPsec module takes over the responsibility of IPsec processing. If the IPsec module backup function is
disabled, the matching packets are discarded.
To enable the encryption engine:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable the encryption
engine.
cryptoengine enable [ slot slot-number ]
Optional.
By default, the encryption
engine is enabled.
Enabling ACL checking of de-encapsulated IPsec packets
In tunnel mode, the IP packet that was encapsulated in an inbound IPsec packet might not be an object
that is specified by an ACL to be protected. For example, a forged packet is not an object to be protected.
If you enable ACL checking of de-encapsulated IPsec packets, all packets failing the checking will be
discarded, improving the network security.
To enable ACL checking of de-encapsulated IPsec packets:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A