F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Command Reference-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

111

112

113

114

115

116

117

118

119

120

107

Views

IPsec policy view, IPsec policy template view

Default command level

2: System level

Parameters

acl-number: Number of the ACL for the IPsec policy to reference, in the range 3000 to 3999.

aggregation: Specifies the data flow protection mode as aggregation. This mode is configurable only in

IPsec policies that use IKE negotiation.

per-host: Specifies the data flow protection mode as per-host. This mode is configurable only in IPsec

policies that use IKE negotiation.

Usage guidelines

With an IKE-dependent IPsec policy configured, data flows can be protected in the following modes:

• Standard mode—One tunnel protects one data flow. The data flow permitted by an ACL rule is

protected by one tunnel that is established solely for it.

• Aggregation mode—One tunnel protects all data flows permitted by all the rules of an ACL.

• Per-host mode—One tunnel protects one host-to-host data flow. One host-to-host data flow is

identified by one ACL rule and protected by one tunnel established solely for it.

If you specify neither the aggregation nor the per-host mode, the standard mode is used.

To use the per-host mode, you only need to specify an ACL in per-host mode in the IPsec policy of the

IPsec initiator. You do not need to specify the per-host keyword in the IPsec policy of the responder.

Use the per-host mode with caution. If the number of hosts to be protected is large, IPsec using the

per-host mode will establish a large number of SAs, exhausting the system resources quickly.

When your device works with an old-version device, use the aggregation mode on both devices.

An IPsec policy references only one ACL. If you specify more than one ACL for an IPsec policy, the IPsec

policy references the one last specified.

Examples

# Configure IPsec policy policy1 to reference ACL 3001.

<Sysname> system-view

[Sysname] acl number 3001

[Sysname-acl-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination 10.1.2.0

0.0.0.255

[Sysname-acl-adv-3001] quit

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] security acl 3001

# Configure IPsec policy policy2 to reference ACL 3002, and set the data flow protection mode to

aggregation.

<Sysname> system-view

[Sysname] acl number 3002

[Sysname-acl-adv-3002] rule 0 permit ip source 10.1.2.1 0.0.0.255 destination 10.1.2.2

0.0.0.255

[Sysname-acl-adv-3002] rule 1 permit ip source 10.1.3.1 0.0.0.255 destination 10.1.3.2

0.0.0.255

[Sysname] ipsec policy policy2 1 isakmp