H3C Technologies H3C SecPath F1000-E User Manual

Page 201

Advertising
background image

189

Step Command

Remarks

5.

Specify the source address or
interface of the tunnel

interface.

source { ip-address |
interface-type

interface-number }

By default, no source address or
interface is specified for a tunnel
interface.
If you specify an interface, the tunnel
interface will take the primary IP

address of the source interface.

6.

Specify the destination

address of the tunnel

interface.

destination ip-address

Optional for an IKE negotiation
responder, and required for an IKE
negotiation initiator
By default, no tunnel destination
address is configured.

7.

Apply an IPsec profile to the

tunnel interface.

ipsec profile profile-name

N/A

NOTE:

An IPsec profile can be applied to an IPsec tunnel interface only.

An IPsec tunnel interface can reference only one IPsec profile.

Apply an IPsec profile to only one IPsec tunnel interface. Although an IPsec profile can be applied to
multiple IPsec tunnel interfaces, it takes effect only on the IPsec tunnel interface that goes up first.

Enabling packet information pre-extraction on the IPsec tunnel

interface

Because packets that an IPsec tunnel interface passes to a physical interface are encapsulated, the QoS

module cannot obtain the 5-tuple (source IP, destination IP, source port, destination port, and protocol) of

the original packets. To address this problem, enable packet information pre-extraction on the tunnel

interface.
With packet information pre-extraction enabled, an IPsec tunnel interface buffers the IP 5-tuple data in

the original packets, so that the corresponding physical interface can perform QoS processing such as

traffic classification and IP precedence setting.
To implement QoS for IPsec packets, however, you also need to apply a QoS policy to the physical
outbound interface. For more information about how to apply a QoS policy to a physical interface, see

Network Management Configuration Guide.
To enable packet information pre-extraction on an IPsec tunnel interface:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter tunnel interface view.

interface tunnel number N/A

3.

Enable packet information
pre-extraction.

qos pre-classify

Disabled by default

Advertising
This manual is related to the following products:

H3C SecPath F5000-A5 Firewall, H3C SecPath F1000-A-EI, H3C SecPath F1000-E-SI, H3C SecPath F1000-S-AI, H3C SecPath F5000-S Firewall, H3C SecPath F5000-C Firewall, H3C SecPath F100-C-SI, H3C SecPath F1000-C-SI, H3C SecPath F100-A-SI, H3C SecBlade FW Cards, H3C SecBlade FW Enhanced Cards, H3C SecPath U200-A U200-M U200-S, H3C SecPath U200-CA U200-CM U200-CS

Popular Brands
Popular manuals