Manualshelf

3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module
141142143144145146147148149150
IPsec Configuration 149
Import ACL into IPsec policy
Configure starting and end points for Tunnel
Configure SPI for SA
Configure SA keys
For IKE mode:
Create IPsec policy using IKE
Import card SA proposal into IPsec policy
Import ACL into IPsec policy
Import IKE peer into IPsec policy
Configure SA duration (optional)
Configure PFS feature for negotiation (optional)
An IPsec policy can reference an IPsec proposal or card SA proposal as needed.
4 Configure IPsec policy template (optional)
5 Apply IPsec policy on the interface
6 Disable next-payload field checking (optional)
Configuring the encryption card (optional)
Enable the encryption card
1 Enable Comware main software backup
2 Configure the fast forwarding function of the encryption card
3 Configure the simple network management operations for the encryption card
Defining ACL IPsec uses advanced ACLs to determine the packets needing to be protected. The
roles of advanced ACLs in IPsec is different from those introduced in firewalls.
Normally, advanced ACLs are used for determining which data can be permitted
and which must be denied on which interface. Advanced ACLs in IPsec, however,
are used by IPsec to determine which packet needs security protection and which
does not. For this reason, an advanced ACL applied in IPsec is in fact encryption
ACL. Packets permitted by Encryption ACL will be in protection, while packets
denied by the ACL will not be protected. An encryption ACL can apply on both
input interfaces and output interfaces.
For more information about the detailed configuration of ACL, see the Security
part in this manual.
Encryption ACLs defined at the local and peer security gateways should be in
consistency (i.e., they can mirror each other), thus allowing either side to decrypt
the data encrypted at the other side. Otherwise, one end cannot decrypt data
sending from the other end. For example,
Local end:
acl number 3101
rule 1 permit ip source 173.1.1.0 0.0.0.255 destination 173.2.2.0 0.0.0.255