Binding A Source Interface To An Ipsec Policy - H3C S5830V2 Security Configuration Manual

IMPORTANT:
IPsec anti-replay is enabled by default. Failure to detect anti-replay attacks might result in denial of
•
services. Use caution when you disable IPsec anti-replay.
Specify an anti-replay window size that is as small as possible to reduce the impact on system
•
performance.
• In an IRF fabric, multiple member devices might process packets for the same VLAN interface or tunnel
interface. However, IPsec anti-replay requires packets sent and received on the same VLAN interface or
tunnel interface be processed by the same member device. To implement IPsec anti-replay in an IRF
fabric, use the service slot
device for forwarding the traffic on the interface. For more information about the service command, see
Layer 2—LAN Switching Command Reference
To configure IPsec anti-replay:
Step
1. Enter system view.
2. Enable IPsec anti-replay.
3. Set the size of the IPsec
anti-replay window.

Binding a source interface to an IPsec policy

For high availability, a core device is usually connected to an ISP through two links, which operate in
backup or load sharing mode. The two interfaces negotiate with their peers to establish IPsec SAs
respectively. When one interface fails and a link failover occurs, the other interface needs to take some
time to re-negotiate SAs, resulting in service interruption.
To solve these problems, bind a source interface to an IPsec policy and apply the policy to both interfaces.
This enables the two physical interfaces to use the same source interface to negotiate IPsec SAs. As long
as the source interface is up, the negotiated IPsec SAs will not be removed and will keep working,
regardless of link failover.
Follow these guidelines when you perform this task:
Only the IKE-based IPsec policies can be bound to a source interface.
•
An IPsec policy can be bound to only one source interface.
•
• A source interface can be bound to multiple IPsec policies.
If the source interface bound to an IPsec policy is removed, the IPsec policy becomes a common
•
IPsec policy.
If no local address is specified for an IPsec policy that has been bound to a source interface, the
•
IPsec policy uses the IP address of the bound source interface to perform IKE negotiation. If a local
address is specified, the IPsec policy uses the local address to perform IKE negotiation.
To bind a source interface to an IPsec policy:
Step
1. Enter system view.
slot-number
command in VLAN or tunnel interface view to specify a member
or
Command
system-view
ipsec anti-replay check
ipsec anti-replay window width
Command
system-view
255
Layer 3—IP Services Command Reference
Remarks
N/A
By default, IPsec anti-replay is
enabled.
The default size is 64.
Remarks
N/A
.