R2511-HP MSR Router Series Security Command Reference(V5)
234
An IPsec policy references only one ACL. If you specify more than one ACL for an IPsec policy, the IPsec
policy references the one last specified.
In a GDOI IPsec policy view, you cannot specify an IPv6 ACL, nor specify the aggregation keyword.
Packets matching a permit rule of the specified ACL are discarded.
Examples
# Configure IPsec policy policy1 to reference ACL 3001.
<Sysname> system-view
[Sysname] acl number 3001
[Sysname-acl-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255
[Sysname-acl-adv-3001] quit
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] security acl 3001
# Configure IPsec policy policy2 to reference ACL 3002, setting the data flow protection mode to
aggregation.
<Sysname> system-view
[Sysname] acl number 3002
[Sysname-acl-adv-3002] rule 0 permit ip source 10.1.2.1 0.0.0.255 destination 10.1.2.2
0.0.0.255
[Sysname-acl-adv-3002] rule 1 permit ip source 10.1.3.1 0.0.0.255 destination 10.1.3.2
0.0.0.255
[Sysname] ipsec policy policy2 1 isakmp
[Sysname-ipsec-policy-isakmp-policy2-1] security acl 3002 aggregation
Related commands
ipsec policy (system view)
tfc enable (IPsec policy view/ IPsec policy template view/IPsec
profile view)
Use tfc enable to enable the traffic flow confidentiality (TFC) padding function.
Use undo tfc enable to restore the default.
Syntax
tfc enable
undo tfc enable
Default
TFC padding is disabled.
Views
IPsec policy view, IPsec policy template view, IPsec profile view
Default command level
2: System level