HP VPN Firewall Appliances VPN Configuration Guide
180
Applying a QoS policy to an IPsec tunnel interface
The device allows you to apply a QoS policy to the IPsec tunnel interface. In this case, QoS is performed
before IPsec encapsulation, and the priority of a resulting packet is the same as that of the original packet.
In addition, the QoS congestion management is done to the packets before encapsulation, avoiding the
disorder of IPsec packets.
This method is much more explicit and flexible than the QoS implementation method of enabling packet
information pre-extraction on the IPsec tunnel interface, which requires applying a QoS policy to the
physical outbound interface.
To apply a QoS policy to an IPsec tunnel interface:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter tunnel interface
view.
interface tunnel number N/A
3. Apply a QoS policy to
the IPsec tunnel interface.
qos apply policy policy-name { inbound |
outbound }
For more information about
the command, see Network
Management Command
Reference.
Configuring IPsec for IPv6 routing protocols
IMPORTANT:
Do not apply an IPsec policy used for an IPv6 routin
g
protocol to an interface. If you do so, the interface
w
ill drop all packets, because the IPsec policy references no ACL.
Complete the following tasks to configure IPsec for IPv6 routing protocols:
Task Remarks
Configuring an IPsec transform set Required.
Configuring a manual IPsec policy
Required.
ACLs and IPsec tunnel addresses are not needed.
Applying an IPsec policy to an IPv6 routing
protocol
Required.
For information about how to configure IPsec for IPv6 BGP,
OSPFv3, and RIPng, see Network Management
Configuration Guide.
Configuring IPsec stateful failover
In an IPsec stateful failover scenario, these restrictions apply:
• VRRP must operate in the standard protocol mode, and a VRRP group can have only one virtual IP
address.
• IPsec stateful failover supports only the active/standby failover mode.
• RSA signature authentication is not supported in IKE negotiation.