HP VPN Firewall Appliances VPN Configuration Guide
173
In addition to physical interfaces like Ethernet ports, you can apply an IPsec policy to virtual interfaces,
such as tunnel and virtual template interfaces, to tunnel applications such as GRE and L2TP.
An interface can reference only one IPsec policy group. An IPsec policy that uses IKE can be applied to
more than one interface, but a manual IPsec policy can be applied to only one interface.
To apply an IPsec policy group to an interface:
Ste
p
Command
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Apply an IPsec policy group to the interface.
ipsec policy policy-name
Enabling the encryption engine
The encryption engine is a coprocessor that provides an encryption/decryption algorithm interface for
IPsec processing:
• If the encryption engine is enabled, the engine takes over the responsibility of IPsec processing.
• If the encryption engine is disabled or has failed but the IPsec module backup function is enabled,
the matching packets are discarded.
To enable the encryption engine:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable the encryption engine.
cryptoengine enable
Optional.
By default, the encryption engine is
enabled.
Enabling ACL checking for de-encapsulated IPsec packets
In tunnel mode, the IP packet encapsulated in an inbound IPsec packet might be out of protection of the
ACL specified in the IPsec policy. Such packets bring threats to the network security. You can enable ACL
checking for de-encapsulated IPsec packets, so all packets failing the checking are discarded.
To enable ACL checking for de-encapsulated IPsec packets:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable ACL checking for
de-encapsulated IPsec
packets.
ipsec decrypt check
Optional.
Enabled by default.
Configuring the IPsec anti-replay function
The IPsec anti-replay function protects networks against anti-replay attacks by using a sliding window
mechanism called anti-replay window. This function checks the sequence number of each received IPsec
packet against the current IPsec packet sequence number range of the sliding window. If the sequence
number is not in the current sequence number range, the packet is considered a replayed packet and is
discarded.