Configuring Ipsec Rri - HP 6600 Security Configuration Manual
Hide thumbs
Also See for 6600:
- Command reference manual (286 pages) ,
- Configuration manual (236 pages) ,
- Installation and getting started manual (103 pages)
Table of Contents
Advertisement
The invalid SPI recovery feature allows the receiver to send an INVALID SPI NOTIFY message to tell the
sender the invalid SPIs. Upon receiving the message, the sender immediately deletes the corresponding
SAs. The subsequent traffic triggers the two peers to set up new SAs for data transmission.
Because attackers may exploit INVALID SPI NOTIFY messages to attack the IPsec packet sender (DoS
attack), the invalid SPI recovery feature is disabled by default, making the receiver discard packets with
invalid SPIs.
To enable invalid SPI recovery:
Step
1.
Enter system view.
2.
Enable invalid SPI recovery.
Configuring IPsec RRI
IPsec RRI operates in static mode or dynamic mode.
Static IPsec RRI
Static IPsec RRI creates static routes based on the destination address information in the ACL that the IPsec
policy references. The next hop address of the route is a user specified remote peer address, or the IP
address of the remote tunnel endpoint.
Static IPsec RRI creates static routes immediately after you enable IPsec RRI in an IPsec policy and apply
the IPsec policy. When you disable RRI, or remove the ACL or the peer gateway IP address from the policy,
IPsec RRI deletes all static routes it has created.
The static mode applies to scenarios where the topologies of branch networks seldom change.
Dynamic IPsec RRI
Dynamic IPsec RRI dynamically creates static routes based on IPsec SAs. In each static route, the
destination address is the address of a protected branch network, and the next hop is the user-specified
remote peer address or the remote tunnel endpoint's address learned during IPsec SA negotiation.
Dynamic IPsec RRI creates static routes when the IPsec SAs are established, and deletes the static routes
when the IPsec SAs are deleted.
The dynamic mode applies to scenarios where the topologies of branch networks change frequently. For
example, when branches have dial-in users, you can configure dynamic IPsec RRI to avoid frequent
configuration changes that are otherwise required on the headquarters gateway.
A good practice is to configure IPsec RRI on a headquarters gateway to create static routes for the IPsec
tunnels to branches. For the static routes, you can perform the following operations:
Change their route preference for ECMP routing or route backup. If multiple routes to the same
•
destination have the same preference, traffic is balanced among them. If multiple routes to the same
destination have different preference values, the route with the highest preference forwards traffic
and all other routes are backup routes.
•
Change their tag value so the gateway can control the use of the static routes based on routing
policies.
To configure IPsec RRI:
Command
system-view
ipsec invalid-spi-recovery enable
268
Remarks
N/A
Optional.
Disabled by default.
Advertisement
Table of Contents
Troubleshooting
