F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

151

152

153

154

155

156

157

158

159

160

146

• If you enable both IPsec and QoS on an interface, traffic of an IPsec SA may be put into different

queues by QoS, causing some packets to be sent out of order. As IPsec performs anti-replay

operation, packets outside the anti-replay window in the inbound direction may be discarded,

resulting in packet loss. When using IPsec together with QoS, make sure that they use the same

classification rules. IPsec classification rules depend on the referenced ACL rules.

42B

Configuring IPsec in the Web interface

196BConfiguration considerations

You configure IPsec tunnels on the device by configuring IPsec polices. The IPsec policies use ACLs to

identify protected traffic, and take effect after being applied to physical interfaces.

The following is the generic IPsec policy configuration procedure:

1. Configure ACLs for identifying the data flows to be protected by IPsec.

2. Configure IPsec proposals to specify the security protocols, authentication and encryption

algorithms, and encapsulation mode. An IPsec proposal applies to data flows associated with it.

3. Configure IPsec policies to associate data flows with IPsec proposals and specify the SA

negotiation mode, the start and end points of the IPsec tunnels, the privacy keys, and the SA

lifetime.

4. Apply the IPsec policies to interfaces.

197BRecommended configuration procedure

Ste

Remarks

1. 752HConfiguring ACLs

Required.

Configure ACLs to identify the data flows to be protected by IPsec.

2. 753HConfiguring an IPsec proposal

Required.

An IPsec proposal defines a set of security parameters for IPsec SA

negotiation, including the security protocol, encryption and

authentication algorithms, and encapsulation mode.

IMPORTANT:

Changes to an IPsec proposal affect only SAs negotiated after the

changes are made.

3. 754HConfiguring an IPsec policy

template

Required if you are using an IPsec policy template group to create an

IPsec policy.

An IPsec policy template group is a collection of IPsec policy templates

with the same name but different sequence numbers. In an IPsec policy

template group, an IPsec policy template with a smaller sequence

number has a higher priority.