How does IPSec on an AR router define data flows to be protected

IPSec can protect one or more data flows. If an ACL is used to establish an IPSec tunnel, the ACL can specify data flows to be protected by IPSec. In practice, you need to configure an ACL to define data flows to be protected and reference the ACL in an IPSec policy to protect the data flows. An IPSec policy can reference only one ACL:
- If different data flows have different security requirements, create different ACLs and IPSec policies.
- If different data flows have the same security requirements, configure multiple rules in an ACL to protect different data flows.

When configuring IPSec, pay attention to the following points:
- The ACLs at both ends of an IPSec tunnel must define the same protocol type. For example, if the ACL at one end defines an IP protocol, the ACL at the other end must use the IP protocol.
- When ACL rules at both ends of an IPSec tunnel mirror each other, SAs can be set up successfully no matter which party initiates negotiation. If ACL rules at both ends of an IPSec tunnel do not mirror each other, SAs can be set up successfully only when the range specified by ACL rules on the initiator is the subset of ACL rules on the responder. It is recommended that ACL rules at both ends of an IPSec tunnel mirror each other. That is, the source and destination addresses of an ACL at one end are the destination and source addresses of an ACL at the other end.
- For IKEv1, if IPSec policies in ISAKMP mode are configured at both ends, ACL rules at both ends of an IPSec tunnel must mirror each other. If an IPSec policy in ISAKMP mode is configured at one end and an IPSec policy using an IPSec policy template is configured at the other end, the range of ACL rules in the IPSec policy in ISAKMP mode can be the subset of ACL rules in the IPSec policy using an IPSec policy template. The devices use overlapping rules as the negotiation result.
- For IKEv2, mirroring is not necessary. SAs can be set up successfully as long as the range of ACL rules configured on the initiator is the subset of the responder. The devices use overlapping rules as the negotiation result.
- The ACL rule with a larger rule ID cannot completely cover the ACL rule with a smaller rule ID.
- ACLs referenced by the same IPSec policy group cannot contain the same ACL rule.
- When IKEv2 is used, ACL rules referenced by IPSec policies of an IPSec policy group cannot overlap.
- When the negotiation responder uses the IPSec policy that is created through an IPSec policy template:
- You must specify the source IP address in an ACL rule referenced by an IPSec policy on the initiator; otherwise, an IPSec tunnel cannot be set up.
- If data flows to be protected are not specified, the responder accepts the range of data flows to be protected on the initiator. If data flows to be protected are specified, the ACL on the responder must mirror the ACL on the initiator or the range specified by the ACL on the responder must cover the range specified by the ACL on the initiator.
- If NAT is configured on an interface to which an IPSec policy is applied, IPSec may not take effect because NAT is performed first. You can use the following methods:
- Configure the destination IP address that matches the deny clause in an ACL referenced by NAT as the destination IP address in an ACL referenced by IPSec. In this case, data flows protected by IPSec are not translated by NAT.
- Configure the ACL rule referenced by NAT to match the IP address translated by NAT.

Scroll to top