Ipsec Policy (Interface View) - HP HSR6600 Command Reference Manual

Default
The invalid SPI recovery is disabled. The receiver discards IPsec packets with invalid SPIs.
Views
System view
Default command level
2: System level
Usage guidelines
Invalid SPI recovery enables an IPsec security gateway to send an INVALID SPI NOTIFY message to its
peer when it receives an IPsec packet but cannot find any SA with the specified SPI. When the peer
receives the message, it deletes the SAs on its side. Then, subsequent traffic triggers the two peers to
establish new SAs.
Examples
# Enable invalid SPI recovery.
<Sysname> system-view
[Sysname] ipsec invalid-spi-recovery enable

ipsec policy (interface view)

Use ipsec policy to apply an IPsec policy group to an interface.
Use undo ipsec policy to remove the application.
Syntax
ipsec policy policy-name
undo ipsec policy [ policy-name ]
Views
Interface view
Default command level
2: System level
Parameters
policy-name: Name of the existing IPsec policy group to be applied to the interface, a string of 1 to 15
characters.
Usage guidelines
Only one IPsec policy group can be applied to an interface. To apply another IPsec policy group to the
interface, remove the original application first. An IPsec policy group can be applied to more than one
interface.
With an IPsec policy group applied to an interface, the system uses each IPsec policy in the group to
protect certain data flows.
For each packet to be sent out an IPsec protected interface, the system checks the IPsec policies of the
IPsec policy group in the ascending order of sequence numbers. If it finds an IPsec policy whose ACL
matches the packet, it uses the IPsec policy to protect the packet. If it finds no ACL of the IPsec policies
matches the packet, it does not provide IPsec protection for the packet and sends the packet out directly.
298