3Com Router 3000 Ethernet FamilyConfiguration Guide Chapter 7 IPSec Configuration3Com Corporation7-23Table 7-21 Use IPSec policy groupOperation CommandUse the IPSec policy group ipsec policy policy-nameRemove the IPSec policy group in use undo ipsec policy [ policy-name ]An interface can only use one IPSec policy group. Only ISAKMP IPSec policy groupcan be used on more than one interface. A manually configured IPSec policy group canonly be used on one interface.When packet transmitted from an interface, each IPSec policy in the IPSec policy groupwill be searched according to sequence numbers in ascending order. If an accesscontrol list referenced by the IPSec policy permits a packet, the packet will beprocessed by this IPSec policy. If the packet is not permitted, keep on searching thenext IPSec policy. If the packet is not permitted by any access control list referenced bythe IPSec policy, it will be directly transmitted (IPSec does not protect the packet).Huawei’s IPSec policy implementation can not only apply on practical physical portssuch as serial ports and Ethernet ports, but also on virtual interfaces such as Tunneland Virtual Template. In this way, IPSec can be applied on tunnels like GRE and L2TPaccording to the practical networking requirement.7.2.6 Disabling Next-Payload Field CheckingAn IKE negotiation packet comprises multiple payloads; the next-payload field is in thegeneric header of the last payload. According to the protocol, this field should be set to0. It however may vary by vendor. For compatibility sake, you can use the ikenext-payload check disabled command to ignore this field during IPSec negotiation.Table 7-22 Disable the router to check the next-payload fieldOperation CommandDisable the router to check thenext-payload field in the last payload of theIKE negotiation packet during IPSecnegotiationike next-payload check disabledRemove the default undo ike next-payload checkdisabledBy default, the router checks the next-payload field in the last payload of the IKEnegotiation packet during IPSec negotiation.