HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

171

172

173

174

175

176

177

178

179

180

163

Complete the following tasks to configure ACL-based IPsec:

Task Remarks

Configuring an ACL

Required.

Basic IPsec configuration.

Configuring an IPsec transform set

Configuring an IPsec policy

Applying an IPsec policy group to an interface

Enabling the encryption engine Optional.

Enabling ACL checking for de-encapsulated IPsec packets Optional.

Configuring the IPsec anti-replay function Optional.

Configuring packet information pre-extraction Optional.

Enabling invalid SPI recovery Optional.

Configuring IPsec RRI Optional.

Configuring IPsec stateful failover Optional.

Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and

50 respectively. Make sure that flows of these protocols are not denied on the interfaces with IKE or IPsec

configured.

Configuring an ACL

ACLs can be used to identify traffic. They are widely used in scenarios where traffic identification is

desired, such as QoS and IPsec.

1. Keywords in ACL rules

IPsec uses ACLs to identify data flows. An ACL is a collection of ACL rules. Each ACL rule is a deny

or permit statement. A permit statement identifies a data flow protected by IPsec, and a deny

statement identifies a data flow that is not protected by IPsec. With IPsec, a packet is matched

against the referenced ACL rules and processed according to the first rule that it matches:

{ Each ACL rule matches both the outbound traffic and the returned inbound traffic. Suppose

there is a rule rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255. This rule

matches both traffic from 1.1.1.0 to 2.2.2.0 and traffic from 2.2.2.0 to 1.1.1.0.

{ In the outbound direction, if a permit statement is matched, IPsec considers that the packet

requires protection and continues to process it. If a deny statement is matched or no match is

found, IPsec considers that the packet does not require protection and delivers it to the next

function module.

{ In the inbound direction:

− Non-IPsec packets that match a permit statement are dropped.

− IPsec packets that match a permit statement and are destined for the device itself are

de-encapsulated and matched against the rule again. Only those that match a permit

statement are processed by IPsec.

When defining ACL rules for IPsec, follow these guidelines:

{ Permit only data flows that need to be protected and use the any keyword with caution. With the

any keyword specified in a permit statement, all outbound traffic matching the permit statement

will be protected by IPsec and all inbound IPsec packets matching the permit statement will be