HP VPN Firewall Appliances VPN Command Reference

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

101

102

103

104

105

106

107

108

109

110

101

Related commands

ipsec policy (system view)

security acl

Use security acl to specify the ACL for the IPsec policy to reference.

Use undo security acl to remove the configuration.

Syntax

security acl acl-number [ aggregation | per-host ]

undo security acl

Default

An IPsec policy references no ACL.

Views

IPsec policy view, IPsec policy template view

Default command level

2: System level

Parameters

acl-number: Specifies the number of the ACL for the IPsec policy to reference, in the range of 3000 to

3999.

aggregation: Specifies the data flow protection mode as aggregation. This mode is configurable only in

IPsec policies that use IKE negotiation.

per-host: Specifies the data flow protection mode as per-host. This mode is configurable only in IPsec

policies that use IKE negotiation.

Usage guidelines

With an IKE-dependent IPsec policy configured, data flows can be protected in the following modes:

• Standard mode—One tunnel protects one data flow. The data flow permitted by an ACL rule is

protected by one tunnel that is established solely for it.

• Aggregation mode—One tunnel protects all data flows permitted by all the rules of an ACL.

• Per-host mode—One tunnel protects one host-to-host data flow. One host-to-host data flow is

identified by one ACL rule and protected by one tunnel established solely for it.

If you specify neither the aggregation nor the per-host mode, the standard mode is used.

To use the per-host mode, you only need to specify an ACL in per-host mode in the IPsec policy of the

IPsec initiator. You do not need to specify the per-host keyword in the IPsec policy of the responder.

Use the per-host mode with caution. If the number of hosts to be protected is large, IPsec using the

per-host mode will establish a large number of SAs, exhausting the system resources quickly.

When your device works with an old-version device, use the aggregation mode on both devices.

An IPsec policy references only one ACL. If you specify more than one ACL for an IPsec policy, the IPsec

policy references the one last specified.

Examples

# Configure IPsec policy policy1 to reference ACL 3001.