Configuring acls – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 870
849
Step Remarks
4. Configuring an IPsec policy
Required.
Configure an IPsec policy by specifying the parameters directly or using
a created IPsec policy template. The device supports only IPsec policies
that use IKE.
An IPsec policy group is a collection of IPsec policies with the same
name but different sequence numbers. The smaller the sequence
number, the higher the priority of the IPsec policy in the policy group.
IMPORTANT:
An IPsec policy referencing a template cannot be used to initiate SA
negotiations but can be used to respond to a negotiation request. The
parameters specified in the IPsec policy template must match those of the
remote end. The parameters not defined in the template are determined
by the initiator.
5. Applying an IPsec policy group
Required.
Apply an IPsec policy group to an interface (logical or physical) to
protect certain data flows.
Optional.
View brief information about established IPsec SAs to verify your
configuration.
Optional.
View packet statistics to verify your configuration.
Configuring ACLs
For more information about ACL configuration, see "QoS > ACL IPv4," and "QoS > ACL IPv6."
If you enable both IPsec and QoS on an interface, traffic of an IPsec SA may be put into different queues
by QoS, causing some packets to be sent out of order. Because IPsec performs anti-replay operation,
packets outside the anti-replay window in the inbound direction may be discarded, resulting in packet
loss. When using IPsec together with QoS, make sure that they use the same classification rules. IPsec
classification rules depend on the referenced ACL rules. For more information about QoS classification
rules, see "Configuring QoS."
When defining ACL rules for IPsec, follow these guidelines:
•
Make sure that only the data flows to be protected by IPsec are defined in permit statements. If a
packet is protected at the entry of the IPsec tunnel but not at the exit of the IPsec tunnel, it will be
dropped.
•
Avoid statement conflicts in the scope of IPsec policy groups. When creating a deny statement, be
careful with its matching scope and matching order relative to permit statements. The policies in an
IPsec policy group have different match priorities. ACL rule conflicts between them are prone to
cause mistreatment of packets. For example, when configuring a permit statement for an IPsec
policy to protect an outbound traffic flow, you must avoid the situation that the traffic flow matches
a deny statement in a higher priority IPsec policy. Otherwise, the packets will be sent out as normal
packets; if they match a permit statement at the receiving end, they will be dropped by IPsec.