R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101

Figure 51 Non-mirror image ACLs

3. Protection modes

Data flows can be protected in the following modes:

• Standard mode, in which one tunnel protects one data flow. The data flow permitted by an ACL rule

is protected by one tunnel that is established solely for it.

• Aggregation mode, in which one tunnel protects all data flows permitted by all the rules of an ACL.

This mode applies to only scenarios that use IKE for negotiation.

NOTE:

• For more information about ACL configuration, see

Access Control Configuration Guide

• To use IPsec in combination with QoS, ensure that IPsec’s ACL classification rules match the QoS

classification rules. If the rules do not match, QoS may classify the packets of one IPsec SA to differen

queues, causing packets to be sent out of order. When the anti-replay function is enabled, IPsec will

discard the packets beyond the anti-replay window in the inbound direction, resulting in packet loss. Fo

more information about QoS classification rules, see

Network Management Configuration Guide

Configuring an IPsec proposal

An IPsec proposal, part of an IPsec policy or an IPsec profile, defines the security parameters for IPsec SA

negotiation, including the security protocol, the encryption and authentication algorithms, and the

encapsulation mode.

Follow these steps to configure an IPsec proposal:

To do… Use the command…

Remarks

Enter system view

system-view —

Create an IPsec proposal and enter its view

ipsec proposal

proposal-name

Required

By default, no IPsec

proposal exists.

Specify the security protocol for the proposal

transform { ah | ah-esp

| esp }

Optional

ESP by default

Specify the security

algorithms

Specify the encryption

algorithm for ESP

esp encryption-algorithm

{ 3des | aes [ key-length ]

| des }

Optional

DES by default