Step
2.
Enable IPsec packet
fragmentation before or after
encryption.
Implementing tunnel interface-based IPsec
The following is the generic configuration procedure for implementing tunnel interface-based IPsec:
1.
Configure an IPsec transform set to specify the security protocols and authentication and
encryption algorithms, and encapsulation mode.
2.
Configure an IPsec profile to associate data flows with the IPsec transform set, and to specify the
IKE peer parameters and the SA lifetime.
3.
Configure an IPsec tunnel interface and apply the IPsec profile to the interface.
NOTE:
Because packets routed to the IPsec tunnel interface are all protected, the data protection scope, which is
required for IPsec policy configuration, is not needed in the IPsec profile.
Complete the following tasks to configure tunnel interface-based IPsec:
Task
Configuring an IPsec transform set
Configuring an IPsec profile
Configuring an IPsec tunnel interface
Enabling packet information pre-extraction on the IPsec tunnel interface
Applying a QoS policy to an IPsec tunnel interface
Enabling the encryption engine
Configuring the IPsec anti-replay function
Configuring an IPsec profile
An IPsec policy is uniquely identified by its name and sequence number. An IPsec policy group is a
collection of IPsec policies with the same name but different sequence numbers. In an IPsec policy group,
an IPsec policy with a smaller sequence number has a higher priority. After an IPsec policy group is
Command
•
Enable IPsec packet
fragmentation before or after
encryption:
ipsec fragmentation
before-encryption enable
•
Enable IPsec packet
fragmentation before or after
encryption:
undo ipsec fragmentation
before-encryption enable
270
Remarks
Use either command.
By default, IPsec packet
fragmentation before encryption is
enabled.
Remarks
Required.
An IPsec transform set for the IPsec
tunnel interface to reference
supports tunnel mode only.
Required.
Required.
Optional.
Optional.
Optional.
Optional.