R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101
80
To do… Use the command…
Remarks
Enable packet information
pre-extraction
qos pre-classify
Required
Disabled by default.
For more information about the
command, see Network
Management Command
Reference.
CAUTION:
W
hen the QoS policy applied to the physical outbound interface provides con
g
estion mana
g
ement, IPsec
packets arriving at the destination may be out of order. This may cause IPsec out of order to be dropped
by the IPsec anti-replay function. For more information, see “Configuring the IPsec anti-replay function.“
Applying a QoS policy to an IPsec tunnel interface
The device allows you to apply a QoS policy to the IPsec tunnel interface. In this case, QoS is performed
before IPsec encapsulation, and the priority of a resulting packet is the same as that of the original packet.
In addition, the QoS congestion management is done to the packets before encapsulation, avoiding the
disorder of IPsec packets.
This method is much more explicit and flexible than the QoS implementation method of enabling packet
information pre-extraction on the IPsec tunnel interface, which requires applying a QoS policy to the
physical outbound interface.
Follow these steps to apply a QoS policy to an IPsec tunnel interface:
To do… Use the command…
Remarks
Enter system view system-view —
Enter tunnel interface view interface tunnel number —
Apply a QoS policy to the IPsec
tunnel interface
qos apply policy policy-name
{ inbound | outbound }
Required
For more information about the
command, see Network
Management Command
Reference.
Displaying and maintaining IPsec
To do… Use the command…
Remarks
Display IPsec policy information
display ipsec policy [ brief | name
policy-name [ seq-number ] ]
Available in any view
Display IPsec policy template
information
display ipsec policy-template
[ brief | name template-name
[ seq-number ] ]
Available in any view
Display the configuration of IPsec
profiles
display ipsec profile [ name
profile-name ]
Available in any view
Display IPsec proposal information
display ipsec proposal
[ proposal-name ]
Available in any view