Configuring Packet Information Pre-Extraction; Enabling Invalid Spi Recovery - HP 10500 Series Configuration Manual
Security configuration guide
Hide thumbs
Also See for 10500 Series:
- Security configuration manual (596 pages) ,
- Configuration manual (512 pages) ,
- Specifications (42 pages)
Table of Contents
Advertisement
Step
3.
Set the size of the IPsec
anti-replay window.
Configuring packet information pre-extraction
If you apply both an IPsec policy and QoS policy to an interface, by default, the interface first uses IPsec
and then QoS to process IP packets, and QoS classifies packets by the headers of IPsec-encapsulated
packets. If you want QoS to classify packets by the headers of the original IP packets, enable the packet
information pre-extraction feature.
For more information about QoS policy and classification, see ACL and QoS Configuration Guide.
To configure packet information pre-extraction:
Step
1.
Enter system view.
2.
Enter IPsec policy view.
3.
Enable packet information
pre-extraction.
Enabling invalid SPI recovery
When the security gateway at one end of an IPsec tunnel loses its SAs due to rebooting or any other
reason, its peer security gateway may not know the problem and send IPsec packets to it. These packets
will be discarded by the receiver because the receiver cannot find appropriate SAs for them, resulting in
a traffic blackhole. This situation changes only after the concerned SAs on the sender get aged out and
new SAs are established between the two peers. To prevent such service interruption, configure the
invalid SPI recovery feature.
The invalid SPI recovery feature allows the receiver to send an INVALID SPI NOTIFY message to tell the
sender the invalid SPIs. Upon receiving the message, the sender immediately deletes the corresponding
SAs. The subsequent traffic triggers the two peers to set up new SAs for data transmission.
Because attackers may exploit INVALID SPI NOTIFY messages to attack the IPsec packet sender (DoS
attack), the invalid SPI recovery feature is disabled by default, making the receiver discard packets with
invalid SPIs.
To enable invalid SPI recovery:
Step
1.
Enter system view.
2.
Enable invalid SPI recovery.
Command
ipsec anti-replay window width
Command
system-view
ipsec policy policy-name
seq-number [ isakmp | manual ]
qos pre-classify
Command
system-view
ipsec invalid-spi-recovery enable
311
Remarks
Optional.
32 by default.
Remarks
N/A
N/A
Disabled by default.
Remarks
N/A
Optional.
Disabled by default
Advertisement
Table of Contents
Troubleshooting
