How to configure an AR to limit the rate of IPSec data flows

17

To configure an AR to limit the rate of IPSec data flows, configure the QoS function for IPSec packets first, and then configure rate limiting for IPSec data flows through MQC.
system-view
[Huawei]ipsec policy huawei 1 manual //Create an IPSec policy, set the SA creation mode to manual, and enter the IPSec policy view. Alternatively, you can complete the following configurations in the ISAKMP policy view, IPSec policy template view, IPSec profile view, Efficient VPN policy view, or GDOI policy view.
[Huawei-ipsec-policy-manual-huawei-1]qos group 10 //Configure the QoS group to which IPSec packets belong.
[Huawei-ipsec-policy-manual-huawei-1]quit
[Huawei]traffic classifier c1 //Create a traffic classifier and enter the traffic classifier view.
[Huawei-classifier-c1]if-match qos-group 10 //Configure a matching rule based on QoS group 10.
[Huawei-classifier-c1]quit
[Huawei]traffic behavior b1 //Create a traffic behavior and enter the traffic behavior view.
[Huawei-behavior-b1]car cir 3000 //Limit the rate of traffic.
[Huawei-behavior-b1]quit
[Huawei]traffic policy p1 //Create a traffic policy and enter the traffic policy view.
[Huawei-trafficpolicy-p1]classifier c1 behavior b1 //Bind the traffic classifier to the traffic behavior.
[Huawei-trafficpolicy-p1]quit
[Huawei]interface GigabitEthernet 0/0/0
[Huawei-GigabitEthernet0/0/0]traffic-policy p1 outbound //Apply the traffic policy on the interface

Other related questions:
how to limit the flow of IPSec VPN with the USG6000
Speed-limit command can be executed for IPSec current limiting.When building the multi tunnel in NGFW, when large data traffic will generate traffic conflict, by configuring the speed-limit command, can limit the packets flow of each IPSec tunnel, exceeds the limit of the traffic will be discarded, ensure the traffic on each of the tunnel have been transferred.

How to assure forwarding of IPSec data flows on an AR
Configure the QoS function for IPSec packets first, and then configure assured forwarding (AF) for IPSec data flows through MQC. system-view [Huawei]ipsec policy huawei 1 manual //Create an IPSec policy, set the SA creation mode to manual, and enter the IPSec policy view. Alternatively, you can complete the following configurations in the ISAKMP policy view, IPSec policy template view, IPSec profile view, Efficient VPN policy view, or GDOI policy view. [Huawei-ipsec-policy-manual-huawei-1]qos group 10 //Configure the QoS group to which IPSec packets belong. [Huawei-ipsec-policy-manual-huawei-1]quit [Huawei]traffic classifier c1 //Create a traffic classifier and enter the traffic classifier view. [Huawei-classifier-c1]if-match qos-group 10 //Configure a matching rule based on QoS group 10. [Huawei-classifier-c1]quit [Huawei]traffic behavior b1 //Create a traffic behavior and enter the traffic behavior view. [Huawei-behavior-b1]queue af bandwidth 3000 //Configure AF for the matched data flow. [Huawei-behavior-b1]quit [Huawei]traffic policy p1 //Create a traffic policy and enter the traffic policy view. [Huawei-trafficpolicy-p1]classifier c1 behavior b1 //Bind the traffic classifier to the traffic behavior. [Huawei-trafficpolicy-p1]quit [Huawei]interface GigabitEthernet 0/0/0 [Huawei-GigabitEthernet0/0/0]traffic-policy p1 outbound //Apply the traffic policy on the interface.

Configuring interested IPSec data flows on the firewall
Common IPSec maintenance commands on the USG Display ike peer //Display the configuration information of the IKE peer. display ike proposal //Display the configuration information of the IKE proposal. display ike sa //Display the configuration information of the SA established in IKE negotiation mode. display ipsec policy //Display the configuration information of the security policy. display ipsec policy-template //Display the configuration information of the security policy template. display ipsec proposal //Display the configuration information of the IPSec proposal. display ipsec sa //Display the configuration information of the SA. display ipsec sa global-configuration //Display the global configuration information of the IPSec SA, including the global hard lifetime information, global soft lifetime information, and global anti-replay information. display ipsec statistics //Display IPSec packet statistics.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top