R21xx-HP FlexFabric 11900 Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products

161

162

163

164

165

166

167

168

169

170

156

Configure an IPsec policy to associate data flows with the IPsec transform sets, specify the SA

negotiation mode, the peer IP addresses (the start and end points of the IPsec path), the required

keys, and the SA lifetime.

An IPsec policy is a set of IPsec policy entries that have the same name but different sequence

numbers. In the same IPsec policy, an IPsec policy entry with a smaller sequence number has a

higher priority.

4. Apply the IPsec policy to an interface.

Complete the following tasks to configure ACL-based IPsec:

Tasks at a

lance

(Required.) Configuring an ACL

(Required.) Configuring an IPsec transform set

(Required.) Configure an IPsec policy (use either method):

• Configuring a manual IPsec policy

• Configuring an IKE-based IPsec policy

(Required.) Applying an IPsec policy to an interface

(Optional.) Enabling ACL checking for de-encapsulated packets

(Optional.) Configuring the IPsec anti-replay function

(Optional.) Binding a source interface to an IPsec policy

(Optional.) Enabling QoS pre-classify

(Optional.) Enabling logging of IPsec packets

(Optional.) Configuring the DF bit of IPsec packets

Configuring an ACL

IPsec uses ACLs to identify the traffic to be protected. To use IPsec to protect VPN traffic, specify the VPN

parameters in the ACL rules.

Keywords in ACL rules

An ACL is a collection of ACL rules. Each ACL rule is a deny or permit statement. A permit statement

identifies a data flow protected by IPsec, and a deny statement identifies a data flow that is not protected

by IPsec. With IPsec, a packet is matched against the referenced ACL rules and processed according to

the first rule that it matches:

• Each ACL rule matches both the outbound traffic and the returned inbound traffic.

• In the outbound direction, if a permit statement is matched, IPsec considers that the packet requires

protection and continues to process it. If a deny statement is matched or no match is found, IPsec

considers that the packet does not require protection and delivers it to the next function module.

• In the inbound direction:

{ Non-IPsec packets that match a permit statement are dropped.

{ IPsec packets that match a permit statement and are destined for the device itself are

de-encapsulated and matched against the rule again. Only those that match a permit

statement are processed by IPsec.

When defining ACL rules for IPsec, follow these guidelines: