350
Ste
Command
1. Enter system view. system-view
2. Enter interface view.
interface interface-type interface-number
3. Apply an IPsec policy group to the
interface.
ipsec policy policy-name
NOTE:
• IPsec policies can be applied only to VLAN interfaces on the switch.
• An interface can reference only one IPsec policy group. An IPsec policy can be applied to only one
interface.
Configuring the IPsec session idle timeout
An IPsec session is created when the first packet matching an IPsec policy arrives. Also created is an IPsec
session entry, which records the quintuplet (source IP address, destination IP address, protocol number,
source port, and destination port) and the matched IPsec tunnel.
An IPsec session is automatically deleted after the idle timeout expires.
Subsequent data flows search the session entries according to the quintuplet to find a matched item. If
found, the data flows are processed according to the tunnel information; otherwise, they are processed
according to the original IPsec process: search the policy group or policy at the interface, and then the
matched tunnel.
The session processing mechanism of IPsec saves intermediate matching procedures, improving the IPsec
forwarding efficiency.
To set the IPsec session idle timeout:
Ste
Command
Remar
1. Enter system view.
system-view N/A
2. Set the IPsec session idle
timeout.
ipsec session idle-time seconds
Optional.
300 seconds by default.
Enabling ACL checking of de-encapsulated IPsec packets
In tunnel mode, the IP packet that was encapsulated in an inbound IPsec packet may not be an object
that is specified by an ACL to be protected. For example, a forged packet is not an object to be protected.
If you enable ACL checking of de-encapsulated IPsec packets, all packets failing the checking will be
discarded, improving the network security.
To enable ACL checking of de-encapsulated IPsec packets:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable ACL checking of
de-encapsulated IPsec
packets.
ipsec decrypt check
Optional.
Enabled by default.
To Next Page
Loading...
