Applying an IPSec Policy Group to an Interface
Context
To use IPSec to protect data flows on an interface, apply an IPSec policy group to the interface. After an IPSec policy group is unbound from an interface, the interface does not provide IPSec protection.
An IPSec policy group is a set of IPSec policies with the same name but different sequence numbers. An IPSec policy group can contain multiple IPSec policies established manually or in IKE negotiation mode but only one IPSec policy template, as shown in Figure 1. One IPSec policy corresponds to one advanced ACL. In an IPSec policy group, an IPSec policy with a smaller sequence number has a higher priority.
After an IPSec policy group is applied to an interface, all IPSec policies in the group are applied to the interface and protect different data flows.
When sending a packet, an interface matches the packet with IPSec policies in an IPSec policy group in ascending order of sequence number. If the packet matches the ACL referenced by an IPSec policy, the packet is processed based on the IPSec policy. If no matching ACL is found after all IPSec policies are checked, the interface sends the packet directly without IPSec protection.
The interface where IPSec policies are applied must be the interface where an IPSec tunnel is established, and the interface must be the outbound interface in the private route to the remote end. If an IPSec policy is applied to another interface but not the target interface, VPN service forwarding may fail.
Only one IPSec policy group can be applied to an interface, and an IPSec policy group can be applied to only one interface.
After an IPSec policy group is applied to an interface, referenced ACLs and IKE peers in IPSec policies of the IPSec policy group cannot be modified.
- Layer 2 interface, including GE interface, and GE sub-interface.
- Layer 3 interface, GE interface, Eth-Trunk, GE sub-interface, Eth-Trunk sub-interface, VLANIF interface, Virtual-if interface, tunnel interface, dialer interface.
An IPSec policy group cannot be applied a Layer 2 interface and the corresponding VLANIF interface simultaneously.
When an L2TP over IPSec tunnel or a GRE over IPSec tunnel is set up using an ACL, an IPSec policy group can be only applied to a physical interface or Virtual-if interface.
When applying an IPSec policy to a tunnel interface and running the source command to specify an IP address for the interface, you must run the tunnel local command to configure a tunnel local address. Otherwise, IKE negotiation will fail.
In a dual-node hot standby and VRRP scenario, if you run the ip address unnumbered interface command on a tunnel interface to borrow the IP address of a physical interface, the tunnel interface can borrow only the actual address but not VRRP virtual IP address of the physical interface. Therefore, you must run the source command to specify the VRRP virtual IP address. Otherwise, IPSec services will be interrupted during a dual-node switchover.
When multiple branches connect to the headquarters, multiple tunnel interfaces in the headquarters borrow the same physical interface IP address. In this scenario, the headquarters can identify the tunnel interface connected to a branch through the peer IP address or peer ID of the IKE peer (Only IKEv1 in aggressive mode supports the peer ID mode.).
When multiple branches are connected to the headquarters, if some tunnel interfaces at the headquarters borrow an IP address from a physical interface, borrow an IP address from a physical interface as their source address, or borrow a virtual IP address from a physical interface as their tunnel local address, the mappings between IKE peers and tunnel interfaces may be incorrect. As a result, an IPSec tunnel fails to be established.
In an IPSec policy group, if multiple policies are bound to different IKE peers, the remote addresses specified in the IKE peers cannot be the same. Otherwise, IKE negotiation of some IPSec policies fails.
- The device does not support IPSec 6 over GRE.
Prerequisites
Before applying an IPSec policy group to an interface, complete the following tasks:
- Configuring a VLAN on a Layer 2 interface if the IPSec policy group needs to be applied to the Layer 2 interface
- Configuring an IP address for a Layer 3 interface if the IPSec policy group needs to be applied to the Layer 3 interface
- Setting the encapsulation mode of a virtual tunnel interface to IPSec, mGRE, or GRE and configuring an IP address for the interface or configuring the interface to borrow an IP address from another interface if the IPSec policy group needs to be applied to the virtual tunnel interface
- Configuring dot1q encapsulation on a sub-interface if the IPSec policy group needs to be applied to the sub-interface
Procedure
- Run system-view
The system view is displayed.
- Run the following commands as required.
Run interface interface-type interface-number
The interface view is displayed.
Run interface interface-type interface-number.subinterface-number
The sub-interface view is displayed.
Run interface tunnel interface-number
The virtual tunnel interface view is displayed.
- Run ipsec policy policy-name [ alone | master | slave ]
Or run ipsec policy policy-name public [ alone | master | slave ]
An IPSec policy group is applied to the interface of the system or the virtual system.
After an IPSec policy established in manual mode is applied to an interface, an SA is generated immediately.
After an IPSec policy established in IKE negotiation mode is applied to an interface, an IPSec tunnel can be triggered in auto or traffic mode using the sa trigger-mode { auto | traffic-based } command.
After an SA is created successfully, data flows are transmitted securely over the IPSec tunnel.
In a scenario where IPSec hot standby in load balancing mode is configured, you must configure the IPSec policy group status. In other scenarios, you do not need to configure the IPSec policy group status.