R211x-HP Flexfabric 11900 Security Configuration Guide
131
• When an IPsec peer identifies the packets to be protected according to the IPsec policy, it sets up
an IPsec tunnel and sends the packet to the remote peer through the tunnel. The IPsec tunnel can be
manually configured beforehand, or it can be set up through IKE negotiation triggered by the
packet. The IPsec tunnels are actually the IPsec SAs. The inbound packets are protected by the
inbound SA, and the outbound packets are protected by the outbound SA.
• When the remote IPsec peer receives the packet, it drops, de-encapsulates, or directly forwards the
packet according to the configured IPsec policy.
Interface-based IPsec supports setting up IPsec tunnels based on ACLs.
ACL-based IPsec
To implement ACL-based IPsec, configure an ACL to define the data flows to be protected, reference the
ACL in an IPsec policy, and then apply the IPsec policy to an interface. When packets sent by the
interface match the permit rule of the ACL, the packets are protected by the outbound IPsec SA and
encapsulated with IPsec. When the interface receives an IPsec packet whose destination address is the
IP address of the local device, it searches for the inbound IPsec SA according to the SPI carried in the
IPsec packet header for de-encapsulation. If the de-encapsulated packet matches the permit rule of the
ACL, the device processes the packet. Otherwise, it drops the packet.
The device supports the following data flow protection modes:
• Standard mode—One IPsec tunnel protects one data flow. The data flow permitted by an ACL rule
is protected by one IPsec tunnel that is established solely for it.
• Aggregation mode—One IPsec tunnel protects all data flows permitted by all the rules of an ACL.
This mode is only used to communicate with old-version devices.
• Per-host mode—One IPsec tunnel protects one host-to-host data flow. One host-to-host data flow is
identified by one ACL rule and protected by one IPsec tunnel established solely for it. This mode
consumes more system resources when multiple data flows exist between two subnets to be
protected.
Protocols and standards
• RFC 2401, Security Architecture for the Internet Protocol
• RFC 2402, IP Authentication Header
• RFC 2406, IP Encapsulating Security Payload
• RFC 4552, Authentication/Confidentiality for OSPFv3
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,
commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non
-FIPS mode.
IPsec tunnel establishment
Implementing ACL-based IPsec protects packets identified by an ACL. To establish an ACL-based IPsec
tunnel, configure an IPsec policy, reference an ACL in the policy, and apply the policy to an interface (see
"Implementing ACL-based IPsec")
. The IPsec tunnel establishment steps are the same in an IPv4 network
and in an IPv6 network.