Manualshelf

R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
61626364656667686970
65
Tunnel interface-based IPsec, or routing-based IPsec, depends on the routing mechanism to select the
data flows to be protected. To implement tunnel interface-based IPsec, configure IPsec profiles and apply
them to IPsec tunnel interfaces (seeImplementing tunnel interface-based IPsec“)
. By using IPsec profiles,
this IPsec implementation method simplifies IPsec VPN configuration and management, and improves the
scalability of large VPN networks.
Implementing ACL-based IPsec
IPsec configuration task list
The following is the generic configuration procedure for implementing ACL-based IPsec:
1. Configure ACLs for identifying data flows to be protected.
2. Configure IPsec proposals to specify the security protocols, authentication and encryption
algorithms, and encapsulation mode.
3. Configure IPsec policies to associate data flows with IPsec proposals and specify the SA
negotiation mode, the peer IP addresses (the start and end points of the IPsec tunnel), the required
keys, and the SA lifetime.
4. Apply the IPsec policies to interfaces to finish IPsec configuration.
Complete the following tasks to configure ACL-based IPsec:
Task Remarks
Configuring ACLs
Required
Basic IPsec configuration
Configuring an IPsec proposal
Configuring an IPsec policy
Applying an IPsec policy group to an interface
Enabling the encryption engine Required
Configuring the IPsec anti-replay function Optional
Configuring packet information pre-extraction Optional
CAUTION:
Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and
50 respectively. Make sure that flows of these protocols are not denied on the interfaces with IKE or IPsec
configured.
Configuring ACLs
ACLs can be used to identify traffic. They are widely used in scenarios where traffic identification is
desired, such as QoS and IPsec.
1. Keywords in ACL rules
IPsec uses ACLs to identify data flows. An ACL is a collection of ACL rules. Each ACL rule is a deny or
permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement
identifies a data flow that is not protected by IPsec. With IPsec, a packet is matched against the
referenced ACL rules and processed according to the first rule that it matches:
Each ACL rule matches both the outbound traffic and the returned inbound traffic. Suppose there is
a rule rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255. This rule matches
both traffic from 1.1.1.0 to 2.2.2.0 and traffic from 2.2.2.0 to 1.1.1.0.