Implementing ACL-based IPsec
Use the following procedure to implement ACL-based IPsec:
Configure an ACL for identifying data flows to be protected. To use IPsec to protect VPN traffic, you do not need to specify the VPN parameters in the ACL rules.
Configure IPsec transform sets to specify the security protocols, authentication and encryption algorithms, and the encapsulation mode.
Configure an IPsec policy to associate data flows with the IPsec transform sets, specify the SA negotiation mode, the peer IP addresses (the start and end points of the IPsec tunnel), the required keys, and the SA lifetime.
An IPsec policy is a set of IPsec policy entries that have the same name but different sequence numbers. In the same IPsec policy, an IPsec policy entry with a smaller sequence number has a higher priority.
Apply the IPsec policy to an interface.
Complete the following tasks to configure ACL-based IPsec:
Tasks at a glance |
|---|
(Required.) Configuring an ACL |
(Required.) Configuring an IPsec transform set |
(Required.) Configure an IPsec policy (use either method): |
(Required.) Applying an IPsec policy to an interface |
(Optional.) Enabling ACL checking for de-encapsulated packets |
(Optional.) Configuring IPsec anti-replay |
(Optional.) Configuring IPsec anti-replay redundancy |
(Optional.) Binding a source interface to an IPsec policy |
(Optional.) Enabling QoS pre-classify |
(Optional.) Enabling logging of IPsec packets |
(Optional.) Configuring the DF bit of IPsec packets |
(Optional.) Configuring IPsec RRI |
(Optional.) Configuring SNMP notifications for IPsec |
(Optional.) Configuring IPsec fragmentation |
(Optional.) Setting the maximum number of IPsec tunnels |
(Optional.) Enabling logging for IPsec negotiation |