Manualshelf

R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router
171172173174175176177178179180
160
The range specified by an ACL rule on one peer is covered by its counterpart ACL rule on the other
peer. As shown in Figure 55, the r
ange specified by the ACL rule configured on Router A is covered
by its counterpart on Router B.
The peer with the narrower rule initiates SA negotiation. If a wider ACL rule is used by the SA
initiator, the negotiation request might be rejected because the matching traffic is beyond the scope
of the responder. As shown in Figure 55, the S
A negotiation initiated by Host A to Host C is
accepted but the SA negotiations from Host C to Host B or from Host D to Host A is rejected.
Figure 55 Non-mirror image ACLs
Protection modes
Data flows can be protected in the following modes:
Standard mode—One tunnel protects one data flow. The data flow permitted by an ACL rule is
protected by one tunnel that is established solely for it.
Aggregation mode—One tunnel protects all data flows permitted by all the rules of an ACL. This
mode applies to only scenarios that use IKE for negotiation.
For more information about ACL configuration, see ACL and QoS Configuration Guide.
To use IPsec in combination with QoS, make sure that IPsec's ACL classification rules match the QoS
classification rules. If the rules do not match, QoS might classify the packets of one IPsec SA to different
queues, causing packets to be sent out of order. When the anti-replay function is enabled, IPsec will
discard the packets beyond the anti-replay window in the inbound direction, resulting in packet loss. For
more information about QoS classification rules, see ACL and QoS Configuration Guide.
Configuring an IPsec transform set
An IPsec transform set, part of an IPsec policy or an IPsec profile, defines the security parameters for IPsec
SA negotiation, including the security protocol, and the encryption and authentication algorithms.
You can configure up to 10000 IPsec transform sets in the system.
To configure an IPsec transform set:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A