R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101
181
3. Configure an IPsec tunnel interface and apply the IPsec profile to the interface.
NOTE:
Because packets routed to the IPsec tunnel interface are all protected, the data protection scope, which is
required for IPsec policy configuration, is not needed in the IPsec profile.
Complete the following tasks to configure tunnel interface-based IPsec:
Task Remarks
Configuring an IPsec proposal
Required.
An IPsec proposal for the IPsec
tunnel interface to reference
supports tunnel mode only.
Configuring an IPsec profile Required.
Configuring an IPsec tunnel interface Required.
Enabling packet information pre-extraction on the IPsec tunnel interface Optional.
Applying a QoS policy to an IPsec tunnel interface Optional.
Enabling the encryption engine Optional.
Configuring the IPsec anti-replay function Optional.
Configuring IPsec stateful failover Optional.
Configuring an IPsec profile
As described previously, an IPsec policy is uniquely identified by its name and sequence number. An
IPsec policy group is a collection of IPsec policies with the same name but different sequence numbers.
In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority. After an
IPsec policy group is applied to an interface, for each packet arriving at the interface, the system checks
the IPsec policies of the IPsec policy group in the ascending order of sequence numbers. One IPsec tunnel
will be established for each data flow to be protected, and multiple IPsec tunnels may exist on an
interface.
An IPsec profile is similar to an IPsec policy. The difference is that an IPsec profile is uniquely identified
by its name and it does not support ACL configuration. An IPsec profile defines the IPsec proposal to be
used for protecting data flows, and specifies the parameters for IKE negotiation. After an IPsec profile is
applied to an IPsec tunnel interface, only one IPsec tunnel is set up to protect all data flows that are routed
to the tunnel.
IPsec profiles can be applied to only IPsec tunnel interfaces. The IPsec tunnel established using an IPsec
profile protects all IP data routed to the tunnel interface.
Before configuring an IPsec profile, complete the following tasks:
• IPsec proposal configuration. For more information, see "Configuring an IPsec proposal."
• I
KE peer configuration. For more information, see "Configuring IKE."
The parameters for the local and remote ends must match.