R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

161

162

163

164

165

166

167

168

169

170

154

Recommended configuration procedure

Ste

Remarks

1. Configuring

ACLs

Required.

Configure ACLs to identify the data flows to be protected by IPsec.

IMPORTANT:

This document introduces only how to reference ACLs in IPsec. To create ACLs, select

Firewall > ACL from the navigation tree. For more information about the procedure, see

Access Control Configuration Guide.

2. Configuring an

IPsec proposal

Required.

An IPsec proposal defines a set of security parameters for IPsec SA negotiation,

including the security protocol, encryption and authentication algorithms, and

encapsulation mode.

IMPORTANT:

Changes to an IPsec proposal affect only SAs negotiated after the changes are made.

3. Configuring an

IPsec policy

template

Required if you are using an IPsec policy template group to create an IPsec policy.

An IPsec policy template group is a collection of IPsec policy templates with the same

name but different sequence numbers. In an IPsec policy template group, an IPsec

policy template with a smaller sequence number has a higher priority.

4. Configuring an

IPsec policy

Required.

Configure an IPsec policy by specifying the parameters directly or using a created

IPsec policy template. The firewall supports only IPsec policies that use IKE.

An IPsec policy group is a collection of IPsec policies with the same name but different

sequence numbers. The smaller the sequence number, the higher the priority of the

IPsec policy in the policy group.

IMPORTANT:

An IPsec policy referencing a template cannot be used to initiate SA negotiations but can

be used to respond to a negotiation request. The parameters specified in the IPsec policy

template must match those of the remote end. The parameters not defined in the template

are determined by the initiator.

5. Applying an

IPsec policy

group

Required.

Apply an IPsec policy group to an interface (logical or physical) to protect certain data

flows.

6. Displaying IPsec

SAs

Optional.

View brief information about established IPsec SAs to verify your configuration.

7. Displaying

packet statistics

Optional.

View packet statistics to verify your configuration.

Configuring ACLs

Permit/Deny Actions in ACLs

IPsec uses ACLs to identify data flows. An ACL is a collection of ACL rules. Each ACL rule is a deny or

permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement

identifies a data flow that is not protected by IPsec. IPsec uses referenced ACL to match against packets.