Acl-Based Ipsec Configuration Task List; Configuring Acls - HP 3600 v2 Series Configuration Manual
Hide thumbs
Also See for 3600 v2 Series:
- Command reference manual (510 pages) ,
- Configuration manual (441 pages) ,
- Security configuration manual (398 pages)
Table of Contents
Advertisement
example, an ACL-based IPsec tunnel can protect log messages the device sends to a log server, but it
cannot protect traffic that is forwarded by the device for two hosts, even if the host-to-host traffic matches
an ACL permit rule. For more information about configuring an ACL for IPsec, see
Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and
50, respectively. Make sure flows of these protocols are not denied on the interfaces with IKE or IPsec
configured.
ACL-based IPsec configuration task list
The following is the generic configuration procedure for implementing ACL-based IPsec:
1.
Configure ACLs for identifying data flows to be protected.
2.
Configure IPsec proposals to specify the security protocols, authentication and encryption
algorithms, and encapsulation mode.
3.
Configure IPsec policies to associate data flows with IPsec proposals and specify the SA
negotiation mode, the peer IP addresses (the start and end points of the IPsec tunnel), the required
keys, and the SA lifetime.
4.
Apply the IPsec policies to interfaces to finish IPsec configuration.
To configure ACL-based IPsec:
Task
Configuring ACLs
Configuring an IPsec proposal
Configuring an IPsec policy
Applying an IPsec policy group to an interface
Configuring the IPsec session idle timeout
Enabling ACL checking of de-encapsulated IPsec packets
Configuring the IPsec anti-replay function
Configuring packet information pre-extraction
Configuring ACLs
ACLs can be used to identify traffic. They are widely used in scenarios where traffic identification is
desired, such as QoS and IPsec.
Keywords in ACL rules
IPsec uses ACLs to identify data flows. An ACL is a collection of ACL rules. Each ACL rule is a deny or
permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement
identifies a data flow that is not protected by IPsec. With IPsec, a packet is matched against the
referenced ACL rules and processed according to the first rule that it matches:
Each ACL rule matches both the outbound traffic and the returned inbound traffic. For the outbound
•
traffic, IPsec uses the source and destination IP addresses specified in the rule to match the source
and destination IP addresses of the traffic. For the returned inbound traffic, IPsec uses the destination
IP address and the source IP address specified in the rule to match the source IP address and the
destination IP address of the traffic.
274
"Configuring
ACLs."
Remarks
Required.
Basic IPsec configuration.
Optional.
Optional.
Optional.
Optional.
Advertisement
Table of Contents
Troubleshooting
