R21xx-HP FlexFabric 11900 Security Configuration Guide
167
as the source interface is up, the negotiated IPsec SAs will not be removed and will keep working,
regardless of link failover.
Follow these guidelines when you perform this task:
• Only the IKE-based IPsec policies can be bound to a source interface.
• An IPsec policy can be bound to only one source interface.
• A source interface can be bound to multiple IPsec policies.
• If the source interface bound to an IPsec policy is removed, the IPsec policy becomes a common
IPsec policy.
• If no local address is specified for an IPsec policy that has been bound to a source interface, the
IPsec policy uses the IP address of the bound source interface to perform IKE negotiation. If a local
address is specified, the IPsec policy uses the local address to perform IKE negotiation.
To bind a source interface to an IPsec policy:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Bind a source interface to an
IPsec policy.
ipsec { ipv6-policy | policy }
policy-name local-address
interface-type interface-number
By default, no source interface is
bound to an IPsec policy.
Enabling QoS pre-classify
If you apply both an IPsec policy and a QoS policy to an interface, QoS classifies packets by using the
new headers added by IPsec. If you want QoS to classify packets by using the headers of the original IP
packets, enable the QoS pre-classify feature.
For more information about QoS policy and classification, see ACL and QoS Configuration Guide.
To enable the QoS pre-classify feature:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter IPsec policy view or
IPsec policy template view.
• To enter IPsec policy view:
ipsec { policy | ipv6-policy }
policy-name seq-number
[ isakmp | manual ]
• To enter IPsec policy template
view:
ipsec { policy-template |
ipv6-policy-template }
template-name seq-number
Use either command.
3. Enable QoS pre-classify.
qos pre-classify
By default, QoS pre-classify is
disabled.
Enabling logging of IPsec packets
Perform this task to enable the logging of IPsec packets that are discarded because of reasons such as
IPsec SA lookup failure, AH-ESP authentication failure, and ESP encryption failure. The log information