R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101
158
Figure 107 Non-mirror image ACLs
Protection modes
Data flows can be protected in the following modes:
• Standard mode—in which one tunnel is used to protect one data flow. The data flow permitted by
each ACL rule is protected by one tunnel that is established separately for it.
• Aggregation mode—in which one tunnel is used to protect all data flows permitted by all the rules
of an ACL. This mode applies to only scenarios that use IKE for negotiation.
For more information about ACL configuration, see Access Control Configuration Guide.
To use IPsec in combination with QoS, make sure that IPsec's ACL classification rules match the QoS
classification rules. If the rules do not match, QoS may classify the packets of one IPsec SA to different
queues, causing packets to be sent out of order. When the anti-replay function is enabled, IPsec will
discard the packets beyond the anti-replay window in the inbound direction, resulting in packet loss. For
more information about QoS classification rules, see Network Management Configuration Guide.
Configuring an IPsec proposal
1. Select VPN > IPSec > Proposal from the navigation tree to enter the IPsec proposal management
page.
Figure 108 IPsec proposal list
2. Click Add to enter the IPsec proposal configuration wizard page.
The Web interface provides two modes for configuring an IPsec proposal: suite mode and custom
mode. The suite mode allows you to select a pre-defined encryption suite. The custom mode allows
you to configure IPsec proposal parameters discretionarily.