Displaying and maintaining port security, Port security configuration examples, Autolearn configuration example – H3C Technologies H3C S12500-X Series Switches User Manual
Page 144: Ipsec tunnel establishment, Implementing acl-based ipsec, Protocols and standards, Feature restrictions and guidelines, Acl-based ipsec configuration task list
132
The device supports the following data flow protection modes:
•
Standard mode—One IPsec tunnel protects one data flow. The data flow permitted by an ACL rule
is protected by one IPsec tunnel that is established solely for it.
•
Aggregation mode—One IPsec tunnel protects all data flows permitted by all the rules of an ACL.
This mode is only used to communicate with old-version devices.
•
Per-host mode—One IPsec tunnel protects one host-to-host data flow. One host-to-host data flow is
identified by one ACL rule and protected by one IPsec tunnel established solely for it. This mode
consumes more system resources when multiple data flows exist between two subnets to be
protected.
235B
Protocols and standards
•
RFC 2401, Security Architecture for the Internet Protocol
•
RFC 2402, IP Authentication Header
•
RFC 2406, IP Encapsulating Security Payload
•
RFC 4552, Authentication/Confidentiality for OSPFv3
94B
IPsec tunnel establishment
Implementing ACL-based IPsec protects packets identified by an ACL. To establish an ACL-based IPsec
tunnel, configure an IPsec policy, reference an ACL in the policy, and apply the policy to an interface (see
"
840H
Implementing ACL-based IPsec
"). The IPsec tunnel establishment steps are the same in an IPv4 network
and in an IPv6 network.
95B
Implementing ACL-based IPsec
236B
Feature restrictions and guidelines
ACLs for IPsec take effect only on traffic that is generated by the device and traffic that is destined for the
device. They do not take effect on traffic forwarded through the device. For example, an ACL-based IPsec
tunnel can protect log messages the device sends to a log server, but it cannot protect all the data flows
and voice flows that are forwarded by the device. For more information about configuring an ACL for
IPsec, see "
841H
Configuring an ACL
."
Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and
50. Make sure traffic of these protocols is not denied on the interfaces with IKE or IPsec configured.
237B
ACL-based IPsec configuration task list
The generic configuration procedure for implementing ACL-based IPsec is as follows:
1.
Configure an ACL for identifying data flows to be protected.
2.
Configure IPsec transform sets to specify the security protocols, authentication and encryption
algorithms, and the encapsulation mode.