EasyManuals Logo

HPE FlexNetwork MSR Series Comware 5 Security Configuration Guide

HPE FlexNetwork MSR Series
547 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #171 background imageLoading...
Page #171 background image
158
• The peer with the narrower rule initiates SA negotiation. If a wider ACL rule is used by the SA
initiator, the negotiation request might be rejected because the matching traffic is beyond the
scope of the responder. As shown in Figure 57, the SA
negotiation initiated by Host A to Host C
is accepted but the SA negotiations from Host C to Host B or from Host D to Host A is rejected.
Figure 57 Non-mirror image ACLs
Protection modes
Data flows can be protected in the following modes:
• Standard mode—One tunnel protects one data flow. The data flow permitted by an ACL rule is
protected by one tunnel that is established solely for it.
• Aggregation mode—One tunnel protects all data flows permitted by all the rules of an ACL.
This mode applies to only scenarios that use IKE for negotiation.
For more information about ACL configuration, see HPE FlexNetwork MSR Router Series Comware
5 ACL and QoS Configuration Guide.
To use IPsec in combination with QoS, make sure that IPsec's ACL classification rules match the
QoS classification rules. If the rules do not match, QoS might classify the packets of one IPsec SA to
different queues, causing packets to be sent out of order. When the anti-replay function is enabled,
IPsec will discard the packets beyond the anti-replay window in the inbound direction, resulting in
packet loss. For more information about QoS classification rules, see HPE FlexNetwork MSR Router
Series Comware 5 ACL and QoS Configuration Guide.
Configuring an IPsec transform set
An IPsec transform set, part of an IPsec policy or an IPsec profile, defines the security parameters
for IPsec SA negotiation, including the security protocol, and the encryption and authentication
algorithms.
You can configure up to 10000 IPsec transform sets in the system.
To configure an IPsec transform set:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Create an IPsec transform
set and enter its view.
ipsec
transform-set
transform-set-name
By default, no IPsec transform set
exists.
You can configure up to 10000
IPsec transform sets in the system.

Table of Contents

Other manuals for HPE FlexNetwork MSR Series

Preview: Configuration Guide
Configuration Guide861 pages
Preview: Comware 7 Layer 3 - Ip Services Configuration Guides
Comware 7 Layer 3 - Ip Services Configuration Guides554 pages
Preview: Guide
Guide213 pages
Preview: Command Reference
Command Reference120 pages
Preview: Comware 5 Layer 2 - Wan Access Configuration Guide
Comware 5 Layer 2 - Wan Access Configuration Guide420 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the HPE FlexNetwork MSR Series and is the answer not in the manual?

HPE FlexNetwork MSR Series Specifications

General IconGeneral
BrandHPE
ModelFlexNetwork MSR Series
CategoryNetwork Router
LanguageEnglish

Related product manuals