Applying an IPsec policy to an interface
You can apply an IPsec policy to an interface to protect certain data flows. To cancel the IPsec protection, remove the application of the IPsec policy. In addition to physical interfaces, such as Ethernet interfaces, you can apply an IPsec policy to virtual interfaces, such as tunnel and virtual template interfaces, to protect applications such as GRE and L2TP.
For each packet to be sent out of an interface applied with an IPsec policy, the interface looks through the IPsec policy entries in the IPsec policy in ascending order of sequence numbers. If the packet matches the ACL of an IPsec policy entry, the interface uses the IPsec policy entry to protect the packet. If no match is found, the interface sends the packet out without IPsec protection.
When the interface receives an IPsec packet destined for the local device, it searches for the inbound IPsec SA according to the SPI in the IPsec packet header for de-encapsulation. If the de-encapsulated packet matches a permit rule of the ACL, the device processes the packet. If the de-encapsulated packet does not match any permit rule of the ACL, the device drops the packet.
To apply an IPsec policy to an interface:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Apply an IPsec policy to the interface. | ipsec apply { policy | ipv6-policy } policy-name | By default, no IPsec policy is applied to an interface. On an interface, you can apply a maximum of two IPsec policies: one IPv4 IPsec policy and one IPv6 IPsec policy. An IKE-based IPsec policy can be applied to multiple interfaces. As a best practice, apply an IKE-based IPsec policy to only one interface. A manual IPsec policy can be applied to only one interface. |
4. Specify a traffic processing slot for the interface. | In standalone mode: In IRF mode: | By default, no traffic processing slot is specified for an interface. Traffic on an interface is processed on the slot at which the traffic arrives. It is required when the following conditions are met:
|