F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100
147
Ste
p
Remarks
4. 755HConfiguring an IPsec policy
Required.
Configure an IPsec policy by specifying the parameters directly or using
a created IPsec policy template. The device supports only IPsec policies
that use IKE.
An IPsec policy group is a collection of IPsec policies with the same
name but different sequence numbers. The smaller the sequence
number, the higher the priority of the IPsec policy in the policy group.
IMPORTANT:
An IPsec policy referencing a template cannot be used to initiate SA
negotiations but can be used to respond to a negotiation request. The
parameters specified in the IPsec policy template must match those of the
remote end. The parameters not defined in the template are determined
by the initiator.
5. 756HApplying an IPsec policy group
Required.
Apply an IPsec policy group to an interface (logical or physical) to
protect certain data flows.
6. 757HViewing IPsec SAs
Optional.
View brief information about established IPsec SAs to verify your
configuration.
7. 758HViewing packet statistics
Optional.
View packet statistics to verify your configuration.
198BConfiguring ACLs
This document introduces only how to reference ACLs in IPsec. To create ACLs, select Firewall > ACL from
the navigation tree. For more information about the procedure, see Access Control Configuration Guide.
If you enable both IPsec and QoS on an interface, traffic of an IPsec SA may be put into different queues
by QoS, causing some packets to be sent out of order. Because IPsec performs anti-replay operation,
packets outside the anti-replay window in the inbound direction may be discarded, resulting in packet
loss. When using IPsec together with QoS, make sure that they use the same classification rules. IPsec
classification rules depend on the referenced ACL rules. For more information about QoS classification
rules, see Network Management Configuration Guide.
429BUse of the Permit/Deny actions in ACLs
IPsec uses ACLs to identify data flows. An ACL is a collection of ACL rules. Each ACL rule is a deny or
permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement
identifies a data flow that is not protected by IPsec. IPsec uses referenced ACL to match against packets.
The matching process stops once a match is found or ends with no match hit. The packet is handled as
follows:
• Each ACL rule matches both the outbound traffic and the returned inbound traffic. Suppose there is
a rule as shown in
759HFigure 99. This rule matches both traffic from 1.1.1.0 to 2.2.2.0 and returned traffic
from 2.2.2.0 to 1.1.1.0.