HP 6125XLG R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 211
Protocols and standards, FIPS compliance, IPsec tunnel establishment, Implementing ACL-based IPsec
View all HP 6125XLG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 211 highlights
consumes more system resources when multiple data flows exist between two subnets to be protected. Protocols and standards • RFC 2401, Security Architecture for the Internet Protocol • RFC 2402, IP Authentication Header • RFC 2406, IP Encapsulating Security Payload • RFC 4552, Authentication/Confidentiality for OSPFv3 FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. IPsec tunnel establishment The switch supports establishing only ACL-based IPsec tunnels. An ACL-based IPsec tunnel potects packets identified by an ACL. To establish an ACL-based IPsec tunnel, configure an IPsec policy, reference an ACL in the policy, and apply the policy to a physical interface. By referencing various ACL rules, you can configure flexible IPsec policies according to your network conditions. Implementing ACL-based IPsec To ensure a successful ACL-based IPsec setup, read the feature restrictions and guidelines carefully before you configure an ACL-based IPsec tunnel. Feature restrictions and guidelines ACLs for IPsec tunnel take effect only on traffic that is generated by the device and traffic that is destined for the device. They do not take effect on traffic forwarded through the device. For example, an ACL-based IPsec tunnel can protect log messages the device sends to a log server, but it does not protect data flows and voice flows that are forwarded by the device. For more information about configuring an ACL for IPsec, see "Configuring an ACL." Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and 50, respectively. Make sure flows of these protocols are not denied on the interfaces with IKE or IPsec configured. ACL-based IPsec configuration task list The generic configuration procedure for implementing ACL-based IPsec is as follows: 1. Configure an ACL for identifying data flows to be protected. 202