155
interface-based IPsec"). By using IPsec profiles, this IPsec implementation method simplifies
IPsec VPN configuration and management, and improves the scalability of large VPN networks.
• Application-based IPsec protects the packets of a service. This IPsec implementation method
can be used to protect IPv6 routing protocols. It does not require any ACL, nor does it depend
on the routing mechanism. To configure service-based IPsec, configure manual IPsec policies
and bind the policies to an IPv6 routing protocol. See "Configuring IPsec for IPv6 routing
pr
otocols."
Implementing ACL-based IPsec
The following is the generic configuration procedure for implementing ACL-based IPsec:
1. Configure an ACL for identifying data flows to be protected.
2. Configure IPsec transform sets to specify the security protocols, and authentication and
encryption algorithms.
3. Configure an IPsec policy group to associate data flows with the IPsec transform sets and
specify the SA negotiation mode, the peer IP addresses (the start and end points of the IPsec
path), the required keys, and the SA lifetime.
4. Apply the IPsec policies to interfaces to finish IPsec configuration. To implement IPsec through
an encryption card, bind the IPsec policies to one or more encryption cards as well as applying
IPsec policies to the interfaces.
Complete the following tasks to configure ACL-based IPsec:
Task Remarks
Configuring an ACL
Required.
Basic IPsec configuration.
Configuring an IPsec transform set
Configuring an IPsec policy
Applying an IPsec policy group to an interface
Binding an IPsec policy, IPsec policy group, or IPsec profile to an encryption
card
Optional.
Enabling the encryption engine
Optional.
Enabling the IPsec module backup function
Required.
Configuring the IPsec session idle timeout
Optional.
Enabling ACL checking of de-encapsulated IPsec packets
Optional.
Configuring the IPsec anti-replay function
Optional.
Configuring a shared source interface policy group
Optional.
Configuring packet information pre-extraction
Optional.
Enabling invalid SPI recovery
Optional.
Configuring IPsec RRI
Optional.
Enabling transparent data transmission without NAT
Optional.
Enabling fragmentation before/after encryption
Optional.
To Next Page
Loading...
Need help?
General
