Manualshelf

R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
81828384858687888990
79
To do… Use the command…
Remarks
Specify the source address or
interface of the tunnel interface
source { ip-address |
interface-type interface-number }
Required
By default, no source address or
interface is specified for a tunnel
interface.
If you specify an interface, the
tunnel interface will take the
primary IP address of the source
interface.
Specify the destination address of the
tunnel interface
destination ip-address
Optional for an IKE negotiation
responder, and required for an
IKE negotiation initiator
By default, no tunnel destination
address is configured.
Apply an IPsec profile to the tunnel
interface
ipsec profile profile-name
Required
The IPsec profile must have been
created and have not been
applied to any DVPN tunnel
interface.
NOTE:
An IPsec profile can be applied to an IPsec tunnel interface and cannot be applied to two type tunnel
interfaces simultaneously.
An IPsec tunnel interface can reference only one IPsec profile.
Apply an IPsec profile to only one IPsec tunnel interface. Although an IPsec profile can be applied to
multiple IPsec tunnel interfaces, it takes effect only on the IPsec tunnel interface that goes up first.
Enabling packet information pre-extraction on the IPsec tunnel interface
Because packets that an IPsec tunnel interface passes to a physical interface are encapsulated, the QoS
module cannot obtain the 5-tuple (source IP, destination IP, source port, destination port, and protocol) of
the original packets. To address this problem, enable packet information pre-extraction on the tunnel
interface.
With packet information pre-extraction enabled, an IPsec tunnel interface buffers the IP 5-tuple data in
the original packets, so that the corresponding physical interface can perform QoS processing such as
traffic classification, IP precedence setting, rate limit, and congestion avoidance.
To implement QoS for IPsec packets, however, you also need to apply a QoS policy to the physical
outbound interface. For more information about how to apply a QoS policy to a physical interface, see
Network Management Configuration Guide.
Follow these steps to enable packet information pre-extraction on an IPsec tunnel interface:
To do… Use the command…
Remarks
Enter system view system-view
Enter tunnel interface view interface tunnel number