F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100
166
g.
Enter the ACL number 3101.
h.
Click Apply.
7.
Apply IPsec policy map1 to GigabitEthernet 0/1:
a.
Select VPN > IPSec > IPSec Application from the navigation tree.
b.
Click the icon of interface GigabitEthernet 0/1.
c.
Select the policy of map1.
d.
Click Apply.
437B
Verifying the configuration
After you complete the configuration, packets to be exchanged between subnet 10.1.1.0/24 and subnet
10.1.2.0/24 triggers the negotiation of SAs by IKE. After IKE negotiation succeeds and the IPsec SAs are
established, a static route to subnet 10.1.2.0/24 via 2.2.2.2 is added to the routing table on Device A,
and traffic between subnet 10.1.1.0/24 and subnet 10.1.2.0/24 is protected by IPsec.
43B
Configuring IPsec at the CLI
206B
Implementing IPsec
IPsec can be implemented based on ACLs, tunnel interfaces, or applications:
• ACL-based IPsec uses ACLs to identify the data flows to be protected. To implement ACL-based IPsec,
configure IPsec policies, reference ACLs in the policies, and apply the policies to physical interfaces
(see "
774H
Implementing ACL-based IPsec"). By using ACLs, you can customize IPsec policies as needed,
implementing IPsec flexibly.
• Tunnel interface-based IPsec, or routing-based IPsec, depends on the routing mechanism to select
the data flows to be protected. To implement tunnel interface-based IPsec, configure IPsec profiles
and apply them to IPsec tunnel interfaces (see "
775H
Implementing tunnel interface-based IPsec"). By
using IPsec profiles, this IPsec implementation method simplifies IPsec VPN configuration and
management, and improves the scalability of large VPN networks.
• Application-based IPsec protects the packets of a service. This IPsec implementation method can be
used to protect IPv6 routing protocols. It does not require any ACL, nor does it depend on the
routing mechanism. To configure service-based IPsec, configure manual IPsec policies and bind the
policies to an IPv6 routing protocol. See "
776H
Configuring IPsec for IPv6 routing protocols."
207B
Implementing ACL-based IPsec
The following is the generic configuration procedure for implementing ACL-based IPsec:
1.
Configure an ACL for identifying data flows to be protected.
2.
Configure IPsec transform sets to specify the security protocols, and authentication and encryption
algorithms.
3.
Configure an IPsec policy group to associate data flows with the IPsec transform sets and specify
the SA negotiation mode, the peer IP addresses (the start and end points of the IPsec path), the
required keys, and the SA lifetime.
4.
Apply the IPsec policies to interfaces to finish IPsec configuration.
Complete the following tasks to configure ACL-based IPsec: