Manualshelf

F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
171172173174175176177178179180
169
makes sure that SAs can be created successfully for the traffic between Host A and Host C and the traffic
between Network 1 and Network 2.
Figure 126 Mirror image ACLs
If the ACL rules on peers do not form mirror images of each other, SAs can be set up only when both of
the following requirements are met:
The range specified by an ACL rule on one peer is covered by its counterpart ACL rule on the other
peer. As shown in
789HFigure 127, the range specified by the ACL rule configured on Firewall A is
covered by its counterpart on Firewall B.
The peer with the narrower rule initiates SA negotiation. If a wider ACL rule is used by the SA
initiator, the negotiation request may be rejected because the matching traffic is beyond the scope
of the responder. As shown in
790HFigure 127, the SA negotiation initiated by Host A to Host C is
accepted but the SA negotiations from Host C to Host B or from Host D to Host A is rejected.
Figure 127 Non-mirror image ACLs
3. Protection modes
Data flows can be protected in the following modes:
Standard mode—One tunnel protects one data flow. The data flow permitted by an ACL rule is
protected by one tunnel that is established solely for it.
Aggregation mode—One tunnel protects all data flows permitted by all the rules of an ACL. This
mode is configurable only in IPsec policies that use IKE negotiation.