Configuring Acls - HP 10500 Series Configuration Manual

3. Configure IPsec policies to associate data flows with IPsec transform sets and specify the SA
negotiation mode, the peer IP addresses (the start and end points of the IPsec tunnel), the required
keys, and the SA lifetime.
4. Apply the IPsec policies to interfaces to finish IPsec configuration.
Complete the following tasks to configure ACL-based IPsec:
Task

Configuring ACLs

Configuring an IPsec transform set
Configuring an IPsec policy
Applying an IPsec policy group to an interface
Configuring the IPsec session idle timeout
Enabling ACL checking of de-encapsulated IPsec packets
Configuring the IPsec anti-replay function
Configuring packet information pre-extraction
Enabling invalid SPI recovery
Configuring ACLs
ACLs can be used to identify traffic. They are widely used in scenarios where traffic identification is
desired, such as QoS and IPsec.
To use IPsec in combination with QoS, make sure that IPsec's ACL classification rules match the QoS
classification rules. If the rules do not match, QoS may classify the packets of one IPsec SA to different
queues, causing packets to be sent out of order. When the anti-replay function is enabled, IPsec will
discard the packets beyond the anti-replay window in the inbound direction, resulting in packet loss. For
more information about QoS classification rules, see ACL and QoS Configuration Guide.
For more information about ACL configuration, see ACL and QoS Configuration Guide.
Keywords in ACL rules
IPsec uses ACLs to identify data flows. An ACL is a collection of ACL rules. Each ACL rule is a deny or
permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement
identifies a data flow that is not protected by IPsec. With IPsec, a packet is matched against the
referenced ACL rules and processed according to the first rule that it matches:
Each ACL rule matches both the outbound traffic and the returned inbound traffic. Suppose there is
•
a rule rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255. This rule matches
both traffic from 1.1.1.0 to 2.2.2.0 and traffic from 2.2.2.0 to 1.1.1.0.
In the outbound direction, if a permit statement is matched, IPsec considers that the packet requires
•
protection and continues to process it. If a deny statement is matched or no match is found, IPsec
considers that the packet does not require protection and delivers it to the next function module.
In the inbound direction:
•
Non-IPsec packets that match a permit statement are dropped.
IPsec packets that match a permit statement and are destined for the device itself are
de-encapsulated and matched against the rule again. Only those that match a permit statement
are processed by IPsec.
303
Remarks
Required.
Basic IPsec configuration
Optional.
Optional.
Optional.
Optional.
Optional.