Manualshelf

R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
171172173174175176177178179180
168
Figure 119 Packet statistics
Configuring ACL-based IPsec at the CLI
Configuration task list
Task Remarks
Configuring ACLs
Required.
Basic IPsec configuration.
Configuring an IPsec proposal
Applying an IPsec policy group to an interface
Enabling the encryption engine Required.
Enabling ACL checking of de-encapsulated IPsec packets Optional.
Configuring the IPsec anti-replay function Optional.
Configuring packet information pre-extraction Optional.
Enabling invalid SPI recovery Optional.
Configuring IPsec RRI Optional.
Configuring IPsec stateful failover Optional.
IMPORTANT:
Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and
50 respectively. Make sure that flows of these protocols are not denied on the interfaces with IKE or IPsec
configured.
Configuring ACLs
ACLs can be used to identify traffic. They are widely used in scenarios where traffic identification is
desired, such as QoS and IPsec.
Keywords in ACL rules
IPsec uses ACLs to identify data flows. An ACL is a collection of ACL rules. Each ACL rule is a deny or
permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement