Configuring Packet Information Pre-Extraction; Enabling Invalid Spi Recovery - HPE FlexNetwork MSR Series Comware 5 Security Configuration Manual
Hide thumbs
Also See for FlexNetwork MSR Series:
- Configuration manual (861 pages) ,
- Comware 7 layer 3 - ip services configuration manuals (554 pages) ,
- Comware 5 layer 2 - wan access configuration manual (420 pages)
Table of Contents
Advertisement
When you delete a loopback interface that is bound with a shared source interface policy group, the
configuration of the shared source interface policy group is removed and the policy group becomes a
normal IPsec policy group.
If the shared source interface has both primary and secondary IP addresses configured, the primary
IP address is used for IKE negotiation. The local IP address configured by using the local-address
command in IKE peer view does not take effect.
Configuring packet information pre-extraction
If you apply both an IPsec policy and QoS policy to an interface, by default, the interface first uses
IPsec and then QoS to process IP packets, and QoS classifies packets by the headers of
IPsec-encapsulated packets. If you want QoS to classify packets by the headers of the original IP
packets, enable the packet information pre-extraction feature.
For more information about QoS policy and classification, see HPE FlexNetwork MSR Router Series
Comware 5 ACL and QoS Configuration Guide.
To configure packet information pre-extraction:
Step
1.
Enter system view.
2.
Enter IPsec policy view or
IPsec policy template view.
3.
Enable packet information
pre-extraction.
Enabling invalid SPI recovery
When the security gateway at one end of an IPsec tunnel loses its SAs due to rebooting or any other
reason, its peer security gateway might not know the problem and send IPsec packets to it. These
packets will be discarded by the receiver because the receiver cannot find appropriate SAs for them,
resulting in a traffic blackhole. This situation changes only after the concerned SAs on the sender get
aged out and new SAs are established between the two peers. To prevent such service interruption,
configure the invalid SPI recovery feature.
The invalid SPI recovery feature allows the receiver to send an INVALID SPI NOTIFY message to tell
the sender the invalid SPIs. Upon receiving the message, the sender immediately deletes the
corresponding SAs. The subsequent traffic triggers the two peers to set up new SAs for data
transmission.
Because attackers might exploit INVALID SPI NOTIFY messages to attack the IPsec packet sender
(DoS attack), the invalid SPI recovery feature is disabled by default, making the receiver discard
packets with invalid SPIs.
To enable invalid SPI recovery:
Step
1.
Enter system view.
Command
system-view
•
To enter IPsec policy view:
ipsec policy policy-name
seq-number [ isakmp |
manual ]
•
To enter IPsec policy
template view:
ipsec policy-template
template-name seq-number
qos pre-classify
Command
system-view
170
Remarks
N/A
Use either command.
Disabled by default.
Remarks
N/A
Advertisement
Table of Contents
Troubleshooting
Need help?
Do you have a question about the FlexNetwork MSR Series and is the answer not in the manual?