Applying An Ipsec Policy To An Interface - HP FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Configuration manual (512 pages) ,
- Specifications (42 pages) ,
- Datasheet (20 pages)
Table of Contents
Advertisement
Step
12. (Optional.) Enable the Traffic
Flow Confidentiality (TFC)
padding feature.
13. Return to system view.
14. Configure the global SA
lifetime.
15. (Optional.) Enable the global
IPsec SA idle timeout
feature, and set the global
SA idle timeout.
16. Create an IPsec policy by
using the IPsec policy
template.
Applying an IPsec policy to an interface
You can apply an IPsec policy to an interface to protect certain data flows. To cancel the IPsec
protection, remove the application of the IPsec policy. In addition to physical interfaces, such as
Ethernet interfaces, you can apply an IPsec policy to virtual interfaces, such as tunnel and virtual
template interfaces, to protect applications such as GRE and L2TP.
For each packet to be sent out of an interface applied with an IPsec policy, the interface looks
through the IPsec policy entries in the IPsec policy in ascending order of sequence numbers. If the
packet matches the ACL of an IPsec policy entry, the interface uses the IPsec policy entry to protect
the packet. If no match is found, the interface sends the packet out without IPsec protection.
When the interface receives an IPsec packet whose destination address is the IP address of the
local device, it searches for the inbound IPsec SA according to the SPI carried in the IPsec packet
header for de-encapsulation. If the de-encapsulated packet matches the permit rule of the ACL, the
device processes the packet. Otherwise, it drops the packet.
An interface can use only one IPsec policy. An IKE-based IPsec policy can be applied to more than
one interface, but a manual IPsec policy can be applied to only one interface.
To apply an IPsec policy to an interface:
Step
1.
Enter system view.
2.
Enter interface view.
3.
Apply an IPsec policy to the
interface.
Command
tfc enable
quit
ipsec sa global-duration
{ time-based seconds |
traffic-based kilobytes }
ipsec sa idle-time seconds
ipsec { ipv6-policy | policy }
policy-name seq-number isakmp
template template-name
Command
system-view
interface interface-type
interface-number
ipsec apply { policy |
ipv6-policy } policy-name
292
Remarks
By default, the TFC padding
feature is disabled.
N/A
By default, time-based SA lifetime
is 3600 seconds, and
traffic-based SA lifetime is
1843200 kilobytes.
By default, the global IPsec SA
idle timeout feature is disabled.
By default, no IPsec policy exists.
Remarks
N/A
N/A
By default, no IPsec policy is
applied to the interface.
You can apply only one IPsec
policy to an interface.
An IKE-mode IPsec policy can be
applied to multiple interfaces, and
a manual IPsec policy can be
applied to only one interface.
Advertisement
Table of Contents
Troubleshooting
