Introduction To Ipsec Mutli-Instance - 3Com 3C13636 Configuration Manual

3Com Router 3000 Ethernet Family
Configuration Guide
An IKE peer does not receive IPSec packets from its peer when interval-time timer
expires and now, it wants to send IPSec packets to its peer. Before that, the IKE peer
sends a DPD query to its peer for proof of liveliness. At the same time, a time_out timer
is started. If no acknowledgement is received upon expiration of this timer, DPD records
one failure event. When the number of failure events reaches three, the involved
ISAKMP SAs and IPSec SAs are deleted.
The same applies to the IPSec SAs set up between a router and the virtual address of
a VRRP standby group: when the failure count reaches three, the security tunnel
between them is deleted. The setup of this security tunnel is triggered only when a
packet matching the IPSec policy is present.
The failover duration depends on the setting of time_out timer. A shorter timer setting
means a shorter communication interruption period but increased overheads.
You are recommended to use the default setting in normal cases.
At the responder end
The peer of the sender sends an acknowledgement after receiving the query.

7.1.5 Introduction to IPSec Mutli-Instance

Currently, IPSec provides the multi-instance function on the VPN-instance associated
interfaces between PEs and CEs. That is, a PE is connected to different CEs using
different interfaces, so that the CEs of different VPNs can establish IPSec tunnels with
the PE respectively. This makes the networking more flexible.
VPN1-CE1
VPN2-CE2
Figure 7-2 Network diagram for IPSec multi-instance
Packets are processed as follows:
When the PE needs to forward an IP packet to a CE, it first identifies the VPN the
packet belongs to according to the VPN ID in the packet. Then, it looks up the
corresponding VPN routing table and according to the matched entry, forwards the
packet to the outbound interface. If the outbound interface is configured with the
ipsec policy command and this packet matches the ACL, this packet is encrypted
and sent to the CE.
When the PE receives the IPSec packet, it decrypts the packet first (this step is
skipped for non-IPSec packets). The PE identifies the VPN the packet belongs to
IPSec Tunnel1
IPSec Tunnel2
3Com Corporation
VPN ID=1
PE
VPN ID=2
7-6
Chapter 7 IPSec Configuration