How does IPSec on an AR router define data flows to be protected

2

IPSec can protect one or more data flows. If an ACL is used to establish an IPSec tunnel, the ACL can specify data flows to be protected by IPSec. In practice, you need to configure an ACL to define data flows to be protected and reference the ACL in an IPSec policy to protect the data flows. An IPSec policy can reference only one ACL:
- If different data flows have different security requirements, create different ACLs and IPSec policies.
- If different data flows have the same security requirements, configure multiple rules in an ACL to protect different data flows.

When configuring IPSec, pay attention to the following points:
- The ACLs at both ends of an IPSec tunnel must define the same protocol type. For example, if the ACL at one end defines an IP protocol, the ACL at the other end must use the IP protocol.
- When ACL rules at both ends of an IPSec tunnel mirror each other, SAs can be set up successfully no matter which party initiates negotiation. If ACL rules at both ends of an IPSec tunnel do not mirror each other, SAs can be set up successfully only when the range specified by ACL rules on the initiator is the subset of ACL rules on the responder. It is recommended that ACL rules at both ends of an IPSec tunnel mirror each other. That is, the source and destination addresses of an ACL at one end are the destination and source addresses of an ACL at the other end.
- For IKEv1, if IPSec policies in ISAKMP mode are configured at both ends, ACL rules at both ends of an IPSec tunnel must mirror each other. If an IPSec policy in ISAKMP mode is configured at one end and an IPSec policy using an IPSec policy template is configured at the other end, the range of ACL rules in the IPSec policy in ISAKMP mode can be the subset of ACL rules in the IPSec policy using an IPSec policy template. The devices use overlapping rules as the negotiation result.
- For IKEv2, mirroring is not necessary. SAs can be set up successfully as long as the range of ACL rules configured on the initiator is the subset of the responder. The devices use overlapping rules as the negotiation result.
- The ACL rule with a larger rule ID cannot completely cover the ACL rule with a smaller rule ID.
- ACLs referenced by the same IPSec policy group cannot contain the same ACL rule.
- When IKEv2 is used, ACL rules referenced by IPSec policies of an IPSec policy group cannot overlap.
- When the negotiation responder uses the IPSec policy that is created through an IPSec policy template:
- You must specify the source IP address in an ACL rule referenced by an IPSec policy on the initiator; otherwise, an IPSec tunnel cannot be set up.
- If data flows to be protected are not specified, the responder accepts the range of data flows to be protected on the initiator. If data flows to be protected are specified, the ACL on the responder must mirror the ACL on the initiator or the range specified by the ACL on the responder must cover the range specified by the ACL on the initiator.
- If NAT is configured on an interface to which an IPSec policy is applied, IPSec may not take effect because NAT is performed first. You can use the following methods:
- Configure the destination IP address that matches the deny clause in an ACL referenced by NAT as the destination IP address in an ACL referenced by IPSec. In this case, data flows protected by IPSec are not translated by NAT.
- Configure the ACL rule referenced by NAT to match the IP address translated by NAT.

Other related questions:
How to assure forwarding of IPSec data flows on an AR
Configure the QoS function for IPSec packets first, and then configure assured forwarding (AF) for IPSec data flows through MQC. system-view [Huawei]ipsec policy huawei 1 manual //Create an IPSec policy, set the SA creation mode to manual, and enter the IPSec policy view. Alternatively, you can complete the following configurations in the ISAKMP policy view, IPSec policy template view, IPSec profile view, Efficient VPN policy view, or GDOI policy view. [Huawei-ipsec-policy-manual-huawei-1]qos group 10 //Configure the QoS group to which IPSec packets belong. [Huawei-ipsec-policy-manual-huawei-1]quit [Huawei]traffic classifier c1 //Create a traffic classifier and enter the traffic classifier view. [Huawei-classifier-c1]if-match qos-group 10 //Configure a matching rule based on QoS group 10. [Huawei-classifier-c1]quit [Huawei]traffic behavior b1 //Create a traffic behavior and enter the traffic behavior view. [Huawei-behavior-b1]queue af bandwidth 3000 //Configure AF for the matched data flow. [Huawei-behavior-b1]quit [Huawei]traffic policy p1 //Create a traffic policy and enter the traffic policy view. [Huawei-trafficpolicy-p1]classifier c1 behavior b1 //Bind the traffic classifier to the traffic behavior. [Huawei-trafficpolicy-p1]quit [Huawei]interface GigabitEthernet 0/0/0 [Huawei-GigabitEthernet0/0/0]traffic-policy p1 outbound //Apply the traffic policy on the interface.

How to configure an AR to limit the rate of IPSec data flows
To configure an AR to limit the rate of IPSec data flows, configure the QoS function for IPSec packets first, and then configure rate limiting for IPSec data flows through MQC. system-view [Huawei]ipsec policy huawei 1 manual //Create an IPSec policy, set the SA creation mode to manual, and enter the IPSec policy view. Alternatively, you can complete the following configurations in the ISAKMP policy view, IPSec policy template view, IPSec profile view, Efficient VPN policy view, or GDOI policy view. [Huawei-ipsec-policy-manual-huawei-1]qos group 10 //Configure the QoS group to which IPSec packets belong. [Huawei-ipsec-policy-manual-huawei-1]quit [Huawei]traffic classifier c1 //Create a traffic classifier and enter the traffic classifier view. [Huawei-classifier-c1]if-match qos-group 10 //Configure a matching rule based on QoS group 10. [Huawei-classifier-c1]quit [Huawei]traffic behavior b1 //Create a traffic behavior and enter the traffic behavior view. [Huawei-behavior-b1]car cir 3000 //Limit the rate of traffic. [Huawei-behavior-b1]quit [Huawei]traffic policy p1 //Create a traffic policy and enter the traffic policy view. [Huawei-trafficpolicy-p1]classifier c1 behavior b1 //Bind the traffic classifier to the traffic behavior. [Huawei-trafficpolicy-p1]quit [Huawei]interface GigabitEthernet 0/0/0 [Huawei-GigabitEthernet0/0/0]traffic-policy p1 outbound //Apply the traffic policy on the interface

Configuring interested IPSec data flows on the firewall
Common IPSec maintenance commands on the USG Display ike peer //Display the configuration information of the IKE peer. display ike proposal //Display the configuration information of the IKE proposal. display ike sa //Display the configuration information of the SA established in IKE negotiation mode. display ipsec policy //Display the configuration information of the security policy. display ipsec policy-template //Display the configuration information of the security policy template. display ipsec proposal //Display the configuration information of the IPSec proposal. display ipsec sa //Display the configuration information of the SA. display ipsec sa global-configuration //Display the global configuration information of the IPSec SA, including the global hard lifetime information, global soft lifetime information, and global anti-replay information. display ipsec statistics //Display IPSec packet statistics.

how to limit the flow of IPSec VPN with the USG6000
Speed-limit command can be executed for IPSec current limiting.When building the multi tunnel in NGFW, when large data traffic will generate traffic conflict, by configuring the speed-limit command, can limit the packets flow of each IPSec tunnel, exceeds the limit of the traffic will be discarded, ensure the traffic on each of the tunnel have been transferred.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top