305
{
Non-IPsec packets that match a permit statement are dropped.
{
IPsec packets destined for the device itself are de-encapsulated. By default, the
de-encapsulated packets are compared against the ACL rules. Only those that match a
permit statement are processed. Other packets are dropped. If ACL checking for
de-encapsulated IPsec packets is disabled, the de-encapsulated packets are not compared
against the ACL rules and are directly processed by other modules.
When defining ACL rules for IPsec, follow these guidelines:
•
Permit only data flows that need to be protected and use the
any
keyword with caution. With the
any
keyword specified in a permit statement, all outbound traffic matching the permit statement
will be protected by IPsec. All inbound IPsec packets matching the permit statement will be
received and processed, but all inbound non-IPsec packets will be dropped. This will cause all
the inbound traffic that does not need IPsec protection to be dropped.
•
Avoid statement conflicts in the scope of IPsec policy entries. When creating a deny statement,
be careful with its match scope and match order relative to permit statements. The policy
entries in an IPsec policy have different match priorities. ACL rule conflicts between them are
prone to cause mistreatment of packets. For example, when configuring a permit statement for
an IPsec policy entry to protect an outbound traffic flow, you must avoid the situation that the
traffic flow matches a deny statement in a higher priority IPsec policy entry. Otherwise, the
packets will be sent out as normal packets. If they match a permit statement at the receiving
end, they will be dropped by IPsec.
Mirror image ACLs
To make sure SAs can be set up and the traffic protected by IPsec can be processed correctly
between two IPsec peers, create mirror image ACLs on the IPsec peers.
ACL for MPLS L3VPN IPsec protection
To use IPsec to protect the data of an MPLS L3VPN, you must specify the VPN instance for the
protected data in the ACL.
Configuring an IPsec transform set
An IPsec transform set, part of an IPsec policy, defines the security parameters for IPsec SA
negotiation, including the security protocol, encryption algorithms, and authentication algorithms.
Changes to an IPsec transform set affect only SAs negotiated after the changes. To apply the
changes to existing SAs, execute the
reset ipsec sa
command to clear the SAs so that they can be
set up by using the updated parameters.
To configure an IPsec transform set:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Create an IPsec
transform set and enter
its view.
ipsec
transform-set
transform-set-name
By default, no IPsec transform
sets exist.
3.
Specify the security
protocol for the IPsec
transform set.
protocol
{
ah
|
ah-esp
|
esp
}
Optional.
By default, the IPsec transform set
uses ESP as the security protocol.
4.
Specify the security
algorithms.
•
(In non-FIPS mode.) Specify the
encryption algorithm for ESP:
esp encryption-algorithm
{
3des-cbc
|
aes-cbc-128
|
aes-cbc-192
|
aes-cbc-256
|
aes-ctr-128
|
aes-ctr-192
|
aes-ctr-256
|
camellia-cbc-128
|
camellia-cbc-192
|
Configure at least one command.
By default, no security algorithm is
specified.
You can specify security
algorithms for a security protocol
only when the security protocol is
used by the transform set. For
Содержание FlexFabric 5940 SERIES
Страница 251: ...238 ...
