Configuring Ipsec Anti-Replay Redundancy; Binding A Source Interface To An Ipsec Policy - HP FlexFabric 5700 Series Security Configuration Manual
Hide thumbs
Also See for FlexFabric 5700 Series:
- Configuration manual (185 pages) ,
- Configuration manual (125 pages) ,
- Configuration manual (132 pages)
Table of Contents
Advertisement
Configuring IPsec anti-replay redundancy
This feature synchronizes the following information from the master device to all subordinate devices in
an IRF fabric at configurable packet-based intervals:
•
Lower bound values of the IPsec anti-replay window for inbound packets.
IPsec anti-replay sequence numbers for outbound packets.
•
This feature, used together with IPsec redundancy, ensures uninterrupted IPsec traffic forwarding and
anti-replay protection when the master device in an IRF fabric fails.
To configure IPsec anti-replay redundancy:
Step
1.
Enter system view.
2.
Enable IPsec redundancy.
3.
Enter IPsec policy view or
IPsec policy template view.
4.
Set the anti-replay window
synchronization interval for
inbound packets and the
sequence number
synchronization interval for
outbound packets.
Binding a source interface to an IPsec policy
For high availability, a core device is usually connected to an ISP through two links, which operate in
backup or load sharing mode. The two interfaces negotiate with their peers to establish IPsec SAs
respectively. When one interface fails and a link failover occurs, the other interface needs to take some
time to renegotiate SAs, resulting in service interruption.
To solve these problems, bind a source interface to an IPsec policy and apply the policy to both interfaces.
This enables the two physical interfaces to use the same source interface to negotiate IPsec SAs. As long
as the source interface is up, the negotiated IPsec SAs will not be removed and will keep working,
regardless of link failover.
Follow these guidelines when you perform this task:
Only the IKE-based IPsec policies can be bound to a source interface.
•
An IPsec policy can be bound to only one source interface.
•
A source interface can be bound to multiple IPsec policies.
•
Command
system-view
ipsec redundancy enable
•
Enter IPsec policy view:
ipsec { policy | ipv6-policy }
policy-name seq-number
[ isakmp | manual ]
•
Enter IPsec policy template
view:
ipsec { policy-template |
ipv6-policy-template }
template-name seq-number
redundancy replay-interval
inbound inbound-interval
outbound outbound-interval
266
Remarks
N/A
By default, IPsec redundancy is
disabled.
N/A
By default, the master device
synchronizes the anti-replay
window every time it receives
1000 packets and the sequence
number every time it sends
100000 packets.
- Quick Links:
- Configuring Local Users
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
