F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

151

152

153

154

155

156

157

158

159

160

143

6. Identifying that the destination address of the packet is the tunnel interface and the protocol is AH

or ESP, the forwarding module forwards the packet to the IPsec tunnel interface for

de-encapsulation.

7. The IPsec tunnel interface de-encapsulates the packet, and then delivers the resulting clear text

packet back to the forwarding module.

8. The forwarding module looks up the routing table, and then forwards the clear text packet out of

the physical outbound interface associated with the tunnel interface.

192BIPsec for IPv6 routing protocols

The following matrix shows the feature and hardware compatibility:

Hardware Feature com

atible

F1000-A-EI/F1000-S-EI Yes

F1000-E Yes

F5000 Yes

Firewall module Yes

U200-A No

U200-S No

You can use IPsec to protect routing information and defend against attacks for these IPv6 routing

protocols: OSPFv3, IPv6 BGP, and RIPng. IPsec enables these IPv6 routing protocols to encapsulate

outbound protocol packets and de-encapsulate inbound protocol packets with the AH or ESP protocol.

If an inbound protocol packet is not IPsec protected, or fails to be de-encapsulated, for example, due to

decryption or authentication failure, the routing protocol discards that packet.

You must manually configure SA parameters in an IPsec policy for IPv6 routing protocols. The IKE key

exchange mechanism is applicable only to one-to-one communications. IPsec cannot implement

automatic key exchange for one-to-many communications on a broadcast network, where routers must

use the same SA parameters (SPI and key) to process packets for a routing protocol.

193BIPsec RRI

IPsec Reverse Route Inject (RRI) enables an IPsec tunnel gateway to automatically add static routes

destined for protected private networks or peer IPsec tunnel gateways to a routing table. In a VPN

network, IPsec RRI can add static routes to VPN instances' routing tables.

IPsec RRI is applicable to gateways, for example, a headquarters gateway that must provide many IPsec

tunnels. It frees you from the tedious work of manually configuring and maintaining static routes for IPsec

tunnels. For example, if you enable RRI on Device A in

750HFigure 97, Device A can automatically create a

static route to branch network 192.168.2.0/24 for the IPsec protected traffic from the headquarters to the

branch. You do not have to manually add the static route (whose destination IP/mask is 192.168.2.0/24

and next hop address is 2.2.2.2) on Device A.