[Sysname] ipsec fragmentation before-encryption enable
ipsec invalid-spi-recovery enable
Use ipsec invalid-spi-recovery enable to enable invalid security parameter index (SPI) recovery.
Use undo ipsec invalid-spi-recovery enable to restore the default.
Syntax
ipsec invalid-spi-recovery enable
undo ipsec invalid-spi-recovery enable
Default
The invalid SPI recovery is disabled. The receiver discards IPsec packets with invalid SPIs.
Views
System view
Default command level
2: System level
Usage guidelines
Invalid SPI recovery enables an IPsec security gateway to send an INVALID SPI NOTIFY message
to its peer when it receives an IPsec packet but cannot find any SA with the specified SPI. When the
peer receives the message, it deletes the SAs on its side. Then, subsequent traffic triggers the two
peers to establish new SAs.
Examples
# Enable invalid SPI recovery.
<Sysname> system-view
[Sysname] ipsec invalid-spi-recovery enable
ipsec policy (interface view)
Use ipsec policy to apply an IPsec policy group to an interface.
Use undo ipsec policy to remove the application.
Syntax
ipsec policy policy-name
undo ipsec policy [ policy-name ]
Views
Interface view
Default command level
2: System level
Parameters
policy-name: Specifies the name of the existing IPsec policy group to be applied to the interface, a
string of 1 to 15 characters.
Usage guidelines
Only one IPsec policy group can be applied to an interface. To apply another IPsec policy group to
the interface, remove the original application first. An IPsec policy group can be applied to more than
one interface.
277