IPsec policy and IPsec profile
IPsec policies and IPsec profiles define the parameters used to establish IPsec tunnels between two peers and the range of packets to be protected.
IPsec policy
An IPsec policy is a set of IPsec policy entries that have the same name but different sequence numbers.
An IPsec policy contains the following settings:
An ACL that defines the range of data flows to be protected.
An IPsec transform set that defines the security parameters used for IPsec protection.
IPsec SA establishment mode.
IPsec SAs can be established through manual configuration or IKE negotiation.
Local and remote IP addresses that define the start and end points of the IPsec tunnel.
In the same IPsec policy, an IPsec policy entry with a smaller sequence number has a higher priority. When sending a packet, the interface applied with an IPsec policy looks through the IPsec policy's entries in ascending order of sequence numbers. If the packet matches the ACL of an IPsec policy entry, the interface encapsulates the packet according to the IPsec policy entry. If no match is found, the interface sends the packet out without IPsec protection.
When the interface receives an IPsec packet destined for the local device, it searches for the inbound IPsec SA according to the SPI in the IPsec packet header for de-encapsulation. If the de-encapsulated packet matches a permit rule of the ACL, the device processes the packet. If the de-encapsulated packet does not match a permit rule of the ACL, the device drops the packet.
IPsec profile
An IPsec profile has similar settings as an IPsec policy. It is uniquely identified by a name and does not support ACL configuration.
IPsec profiles can be classified into the following types:
Manual IPsec profile—A manual IPsec profile is used to protect IPv6 routing protocols. It specifies the IPsec transform set used for protecting data flows, and the SPIs and keys used by the SAs.
IKE-based IPsec profile—An IKE-based IPsec profile is applied to tunnel interfaces to protect tunneled traffic. It specifies the IPsec transform sets used for protecting data flows, and the IKE profile used for IKE negotiation.