Applying an IPSec Policy Group to an Interface 1887Applying an IPSecPolicy Group to anInterfaceAn IPSec policy group is a collection of IPSec policies with the same name butdifferent sequence numbers. In an IPSec policy group, an IPSec policy with asmaller sequence number has a higher priority.You can apply an IPSec policy group to an interface (logical or physical) to protectcertain data flows. To cancel the IPSec protection, remove the application of IPSecpolicy group.For each packet to be sent out through an IPSec protected interface, the systemchecks the IPSec policies of the IPSec policy group in the ascending order ofsequence numbers. If it finds an IPSec policy whose ACL matches the packet, ituses the IPSec policy to protect the packet. If it finds no ACL of the IPSec policesmatches the packet, it does not provide protection for the packet and sends thepacket out directly.In addition to physical interfaces like serial ports and Ethernet ports, an IPSecpolicy can be applied to virtual interfaces such as tunnel interfaces and virtualtemplate interfaces. Therefore, an IPSec policy can be used on the tunnels like GREtunnels and L2TP tunnels as needed.Follow these steps to apply an IPSec policy group to an interface:n An interface can reference only one IPSec policy group. An IKE-dependent IPSecpolicy can be applied to more than one interface while a manual IPSec policy canbe applied to only one interface.Binding an IPSec Policy(Group) to anEncryption CardTo provide data authentication, encryption and decryption through an encryptioncard, you need to bind the IPSec policy or the IPSec policy group for the SAs to theencryption card. By binding the IPSec policy or IPSec policy group to multipleencryption cards, you can implement redundancy and improve resiliency.You can specify an encryption card as the primary card for an IPSec policy or IPSecpolicy group, and you can specify the primary card for an IPSec policy or IPSecpolicy group repeatedly. However, only the last one takes effect. An IPSec policy oran IPSec policy group uses the bound primary card to provide security services. Ifthere is no primary card, an IPSec policy or IPSec policy group prefers the firstavailable encryption card that is bound to it. Once an IPSec policy or IPSec policygroup takes a second encryption card as the primary card, the new primary cardbegins to provide security services immediately.If you remove the binding of an IPSec policy or policy group to an encryption card,the matched packets will no longer be serviced by the card.Follow these steps to bind an IPSec policy or policy group to an encryption card:To do... Use the command... RemarksEnter system view system-view -Enter interface view interface interface-typeinterface-number-Apply an IPSec policy group to theinterfaceipsec policy policy-name Required