HP VPN Firewall Appliances VPN Configuration Guide
166
{ Per-host mode—One tunnel protects one host-to-host data flow. One host-to-host data flow is
identified by one ACL rule and protected by one tunnel established solely for it. This mode is
configurable only in IPsec policies that use IKE negotiation.
For more information about ACL configuration, see Access Control Configuration Guide.
To use IPsec in combination with QoS, make sure that IPsec's ACL classification rules match the
QoS classification rules. If the rules do not match, QoS might classify the packets of one IPsec SA
to different queues, causing packets to be sent out of order. When the anti-replay function is
enabled, IPsec will discard the packets beyond the anti-replay window in the inbound direction,
resulting in packet loss. For more information about QoS classification rules, see Network
Management Configuration Guide.
Configuring an IPsec transform set
An IPsec transform set, part of an IPsec policy or an IPsec profile, defines the security parameters for IPsec
SA negotiation, including the security protocol, and the encryption and authentication algorithms.
You can configure up to 10000 IPsec transform sets in the system.
To configure an IPsec transform set:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Create an IPsec transform set
and enter its view.
ipsec transform-set
transform-set-name
By default, no IPsec transform set
exists.
3. Specify the security protocol
for the IPsec transform set.
transform { ah | ah-esp | esp }
Optional.
ESP by default.
You configure security algorithms
for a security protocol only when
the protocol is selected. For
example, you can specify the
ESP-specific security algorithms
only when you select ESP as the
security protocol. ESP supports
three IP packet protection schemes:
encryption only, authentication
only, or both encryption and
authentication.