Manualshelf

R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
71727374757677787980
74
You can apply an IPsec policy group to a logical or physical interface to protect certain data flows. To
cancel the IPsec protection, remove the application of the IPsec policy group.
For each packet to be sent out an IPsec protected interface, the system looks through the IPsec policies in
the IPsec policy group in ascending order of sequence numbers. If an IPsec policy matches the packet,
the system uses the IPsec policy to protect the packet. If no match is found, the system sends the packet out
without IPsec protection.
In addition to physical interfaces like serial and Ethernet ports, you can apply an IPsec policy to virtual
interfaces, such as tunnel and virtual template interfaces, to tunnel applications such as GRE and L2TP.
Follow these steps to apply an IPsec policy group to an interface:
To do… Use the command…
Remarks
Enter system view system-view
Enter interface view
interface interface-type
interface-number
Apply an IPsec policy group to the
interface
ipsec policy policy-name Required
NOTE:
A
n interface can reference only one IPsec policy group. An IPsec policy that uses IKE can be applied to
more than one interface, but a manual IPsec policy can be applied to only one interface.
Enabling the encryption engine
The encryption engine is a coprocessor that provides an encryption/decryption algorithm interface for
IPsec processing. There are two cases:
If the encryption engine is enabled, the engine takes over the responsibility of IPsec processing;
If the encryption engine is disabled or has failed but the IPsec module backup function is enabled,
the IPsec module takes over the responsibility of IPsec processing; if the IPsec module backup
function is disabled, the matching packets are discarded.
Follow these steps to enable the encryption engine:
To do… Use the command…
Remarks
Enter system view system-view
Enable the encryption engine cryptoengine enable
Optional
By default, the
encryption engine is
enabled..
Enabling ACL checking of de-encapsulated IPsec packets
In tunnel mode, the IP packet that was encapsulated in an inbound IPsec packet may not be an object
that is specified by an ACL to be protected. For example, a forged packet is not an object to be protected.
If you enable ACL checking of de-encapsulated IPsec packets, all packets failing the checking will be
discarded, improving the network security.
Follow these steps to enable ACL checking of de-encapsulated IPsec packets: