How to assure forwarding of IPSec data flows on an AR

2

Configure the QoS function for IPSec packets first, and then configure assured forwarding (AF) for IPSec data flows through MQC.
system-view
[Huawei]ipsec policy huawei 1 manual //Create an IPSec policy, set the SA creation mode to manual, and enter the IPSec policy view. Alternatively, you can complete the following configurations in the ISAKMP policy view, IPSec policy template view, IPSec profile view, Efficient VPN policy view, or GDOI policy view.
[Huawei-ipsec-policy-manual-huawei-1]qos group 10 //Configure the QoS group to which IPSec packets belong.
[Huawei-ipsec-policy-manual-huawei-1]quit
[Huawei]traffic classifier c1 //Create a traffic classifier and enter the traffic classifier view.
[Huawei-classifier-c1]if-match qos-group 10 //Configure a matching rule based on QoS group 10.
[Huawei-classifier-c1]quit
[Huawei]traffic behavior b1 //Create a traffic behavior and enter the traffic behavior view.
[Huawei-behavior-b1]queue af bandwidth 3000 //Configure AF for the matched data flow.
[Huawei-behavior-b1]quit
[Huawei]traffic policy p1 //Create a traffic policy and enter the traffic policy view.
[Huawei-trafficpolicy-p1]classifier c1 behavior b1 //Bind the traffic classifier to the traffic behavior.
[Huawei-trafficpolicy-p1]quit
[Huawei]interface GigabitEthernet 0/0/0
[Huawei-GigabitEthernet0/0/0]traffic-policy p1 outbound //Apply the traffic policy on the interface.

Other related questions:
How to configure an AR to limit the rate of IPSec data flows
To configure an AR to limit the rate of IPSec data flows, configure the QoS function for IPSec packets first, and then configure rate limiting for IPSec data flows through MQC. system-view [Huawei]ipsec policy huawei 1 manual //Create an IPSec policy, set the SA creation mode to manual, and enter the IPSec policy view. Alternatively, you can complete the following configurations in the ISAKMP policy view, IPSec policy template view, IPSec profile view, Efficient VPN policy view, or GDOI policy view. [Huawei-ipsec-policy-manual-huawei-1]qos group 10 //Configure the QoS group to which IPSec packets belong. [Huawei-ipsec-policy-manual-huawei-1]quit [Huawei]traffic classifier c1 //Create a traffic classifier and enter the traffic classifier view. [Huawei-classifier-c1]if-match qos-group 10 //Configure a matching rule based on QoS group 10. [Huawei-classifier-c1]quit [Huawei]traffic behavior b1 //Create a traffic behavior and enter the traffic behavior view. [Huawei-behavior-b1]car cir 3000 //Limit the rate of traffic. [Huawei-behavior-b1]quit [Huawei]traffic policy p1 //Create a traffic policy and enter the traffic policy view. [Huawei-trafficpolicy-p1]classifier c1 behavior b1 //Bind the traffic classifier to the traffic behavior. [Huawei-trafficpolicy-p1]quit [Huawei]interface GigabitEthernet 0/0/0 [Huawei-GigabitEthernet0/0/0]traffic-policy p1 outbound //Apply the traffic policy on the interface

IPSec packet forwarding flow on the USG5000
In the NGFW processing flow, the IPSec processing is after the NAT, route, and security policy processing, so that the firewall does not process, based on NAT policies, packets protected by the IPSec policies, and these packets can be delivered, by matching routes and security policies, to the interface that adopts the IPSec security policy. The specific requirements are as follows: 1. Packets arriving at the NGFW cannot match the server map table or reversed server map table established by the NAT server. Otherwise, destination addresses in the packets are translated. 2. Packets arriving at the NGFW cannot match the destination NAT policies. Otherwise, destination addresses in the packets are translated. 3. A route (generally the default route) destined for the IKE peer private network must exist in the routing table. The outbound interface of the route must apply the IPSec policies. If no route is matched, the packets are discarded; if the outbound interface matching the route does not apply the IPSec policies, the packets cannot be delivered to the IPSec processing module but are sent in plain text. 4. Generally, the IPSec VPN data flow is transmitted between zones. Therefore, the inter-zone packet filter function between the source zone (where the intranet interface resides) and the destination zone (where the external network interface that applies the IPSec policies resides) must be enabled. Otherwise, the packets are discarded. 5. The source NAT for the packets that pass the inter-zone packet filter policy check is optional. When the packets match the inter-zone NAT policies of the source NAT, the source addresses in the packets are translated. The source IP addresses after the translation are used to match the security ACL rules. The packets that do not match the inter-zone NAT policies are directly delivered to the IPSec processing module. 6. The packets arriving at the IPSec processing module can only be protected when they match the security ACL rules. Otherwise, the packets are discarded.

How does IPSec on an AR router define data flows to be protected
IPSec can protect one or more data flows. If an ACL is used to establish an IPSec tunnel, the ACL can specify data flows to be protected by IPSec. In practice, you need to configure an ACL to define data flows to be protected and reference the ACL in an IPSec policy to protect the data flows. An IPSec policy can reference only one ACL: - If different data flows have different security requirements, create different ACLs and IPSec policies. - If different data flows have the same security requirements, configure multiple rules in an ACL to protect different data flows. When configuring IPSec, pay attention to the following points: - The ACLs at both ends of an IPSec tunnel must define the same protocol type. For example, if the ACL at one end defines an IP protocol, the ACL at the other end must use the IP protocol. - When ACL rules at both ends of an IPSec tunnel mirror each other, SAs can be set up successfully no matter which party initiates negotiation. If ACL rules at both ends of an IPSec tunnel do not mirror each other, SAs can be set up successfully only when the range specified by ACL rules on the initiator is the subset of ACL rules on the responder. It is recommended that ACL rules at both ends of an IPSec tunnel mirror each other. That is, the source and destination addresses of an ACL at one end are the destination and source addresses of an ACL at the other end. - For IKEv1, if IPSec policies in ISAKMP mode are configured at both ends, ACL rules at both ends of an IPSec tunnel must mirror each other. If an IPSec policy in ISAKMP mode is configured at one end and an IPSec policy using an IPSec policy template is configured at the other end, the range of ACL rules in the IPSec policy in ISAKMP mode can be the subset of ACL rules in the IPSec policy using an IPSec policy template. The devices use overlapping rules as the negotiation result. - For IKEv2, mirroring is not necessary. SAs can be set up successfully as long as the range of ACL rules configured on the initiator is the subset of the responder. The devices use overlapping rules as the negotiation result. - The ACL rule with a larger rule ID cannot completely cover the ACL rule with a smaller rule ID. - ACLs referenced by the same IPSec policy group cannot contain the same ACL rule. - When IKEv2 is used, ACL rules referenced by IPSec policies of an IPSec policy group cannot overlap. - When the negotiation responder uses the IPSec policy that is created through an IPSec policy template: - You must specify the source IP address in an ACL rule referenced by an IPSec policy on the initiator; otherwise, an IPSec tunnel cannot be set up. - If data flows to be protected are not specified, the responder accepts the range of data flows to be protected on the initiator. If data flows to be protected are specified, the ACL on the responder must mirror the ACL on the initiator or the range specified by the ACL on the responder must cover the range specified by the ACL on the initiator. - If NAT is configured on an interface to which an IPSec policy is applied, IPSec may not take effect because NAT is performed first. You can use the following methods: - Configure the destination IP address that matches the deny clause in an ACL referenced by NAT as the destination IP address in an ACL referenced by IPSec. In this case, data flows protected by IPSec are not translated by NAT. - Configure the ACL rule referenced by NAT to match the IP address translated by NAT.

How to configure Assured Forwarding (AF) for packets of a certain type on an AR
On AR routers, you can run the queue af command to configure Assured Forwarding (AF) for packets of a certain type and set the minimum bandwidth. AF ensures a low drop probability of packets when the rate of outgoing service traffic does not exceed the minimum bandwidth. It is applied to services of heavy traffic whose bandwidth need to be ensured. Configuration example: Set the minimum bandwidth for the traffic of network segment 192.168.100.0 to 3000 kbit/s. [Huawei] acl 3022 //Configure an ACL to match traffic for which traffic is to be assured. [Huawei-acl-adv-3022] rule permit ip source 192.168.100.0 0.0.0.255 [Huawei-acl-adv-3022] quit [Huawei] traffic classifier c [Huawei-classifier-c] if-match acl 3022 //Create a traffic classifier to protect the traffic matching the ACL rule. [Huawei-classifier-c] quit [Huawei] traffic behavior b [Huawei-behavior-b] queue af bandwidth 3000 //Create a traffic behavior and set the minimum bandwidth to 3000 kbit/s. [Huawei-behavior-b] quit [Huawei] traffic policy p [Huawei-trafficpolicy-p] classifier c behavior b //Create a traffic policy and bind the traffic classifier and traffic behavior to the traffic policy. [Huawei-trafficpolicy-p] quit [Huawei] interface Ethernet 0/0/0 [Huawei-Ethernet0/0/0] traffic-policy p outbound //Apply the traffic policy on the interface.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top