F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

171

172

173

174

175

176

177

178

179

180

167

Task Remarks

777H

Configuring an ACL

Required.

Basic IPsec configuration.

778H

Configuring an IPsec transform set

779H

Configuring an IPsec policy

780H

Applying an IPsec policy group to an interface

781H

Enabling the encryption engine Optional.

782H

Enabling ACL checking for de-encapsulated IPsec packets Optional.

783H

Configuring the IPsec anti-replay function Optional.

784H

Configuring packet information pre-extraction Optional.

785H

Enabling invalid SPI recovery Optional.

786H

Configuring IPsec RRI Optional.

787H

Configuring IPsec stateful failover Optional.

Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and

50 respectively. Make sure that flows of these protocols are not denied on the interfaces with IKE or IPsec

configured.

438BConfiguring an ACL

ACLs can be used to identify traffic. They are widely used in scenarios where traffic identification is

desired, such as QoS and IPsec.

1. Keywords in ACL rules

IPsec uses ACLs to identify data flows. An ACL is a collection of ACL rules. Each ACL rule is a deny or

permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement

identifies a data flow that is not protected by IPsec. With IPsec, a packet is matched against the

referenced ACL rules and processed according to the first rule that it matches:

• Each ACL rule matches both the outbound traffic and the returned inbound traffic. Suppose there is

a rule rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255. This rule matches

both traffic from 1.1.1.0 to 2.2.2.0 and traffic from 2.2.2.0 to 1.1.1.0.

• In the outbound direction, if a permit statement is matched, IPsec considers that the packet requires

protection and continues to process it. If a deny statement is matched or no match is found, IPsec

considers that the packet does not require protection and delivers it to the next function module.

• In the inbound direction:

{ Non-IPsec packets that match a permit statement are dropped.

{ IPsec packets that match a permit statement and are destined for the device itself are

de-encapsulated and matched against the rule again. Only those that match a permit

statement are processed by IPsec.

When defining ACL rules for IPsec, follow these guidelines:

• Permit only data flows that need to be protected and use the any keyword with caution. With the

any keyword specified in a permit statement, all outbound traffic matching the permit statement will

be protected by IPsec and all inbound IPsec packets matching the permit statement will be received

and processed, but all inbound non-IPsec packets will be dropped. This will cause the inbound

traffic that does not need IPsec protection to be all dropped.