3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide
IPsec Configuration 161
peer) are mandatory, while the configuration of the data stream to be protected
and the PFS feature are optional. Note that, if IPsec policy template is used for
policy matching, the configured parameters must be matched in IKE negotiation.
After the configuration of policy template, the following command must be
executed to apply the policy template just defined.
c
CAUTION: The policy of IPsec policy template cannot initiate the negotiation of
security association, but is can response a negotiation.
Applying IPsec Policy
Group to Interface
In order to validate a defined SA, you must apply an IPsec policy group at the
interface (logical or physical) where the outgoing data or incoming data needs
encryption or decryption. Data encryption on the interface will be made based on
the IPsec policy group and in conjunction with the peer security gateway. Deleting
the IPsec policy group from the interface will disable the protection function of
IPsec on the interface.
Perform the following configuration in the interface view.
An interface can only use one IPsec policy group. Only ISAKMP IPsec policy group
can be used on more than one interface. A manually configured IPsec policy group
can only be used on one interface.
When packet transmitted from an interface, each IPsec policy in the IPsec policy
group will be searched according to sequence numbers in ascending order. If an
access control list referenced by the IPsec policy permits a packet, the packet will
be processed by this IPsec policy. If the packet is not permitted, keep on searching
the next IPsec policy. If the packet is not permitted by any access control list
referenced by the IPsec policy, it will be directly transmitted (IPsec does not protect
the packet).
3Com’s IPsec policy implementation can not only apply on practical physical ports
such as serial ports and Ethernet ports, but also on virtual interfaces such as Tunnel
and Virtual Template. In this way, IPsec can be applied on Tunnels like GRE and
L2TP according to the practical networking requirement.
Disabling Next-Payload
Field Checking
An IKE negotiation packet comprises multiple payloads; the next-payload field is in
the generic header of the last payload. According to the protocol, this field should
be set to 0. It however may vary by vendor. For compatibility sake, you can use the
following commands to ignore this field during IPsec negotiation.
Tab le 149 Reference IPsec policy template
Operation Command
Reference an IPsec policy template
ipsec policy policy-name seq-number
isakmp template template-name
Tab le 150 Use IPsec policy group
Operation Command
Use the IPsec policy group ipsec policy policy-name
Remove the IPsec policy group in use undo ipsec policy [ policy-name ]