R3303-HP HSR6800 Routers Security Command Reference
290
Examples
# Enable ACL checking of de-encapsulated IPsec packets.
<Sysname> system-view
[Sysname] ipsec decrypt check
ipsec fragmentation before-encryption
Use ipsec fragmentation before-encryption enable to enable IPsec packet fragmentation before
encryption.
Use undo ipsec fragmentation before-encryption enable to enable IPsec packet fragmentation after
encryption.
Syntax
ipsec fragmentation before-encryption enable
undo ipsec fragmentation before-encryption enable
Default
IPsec packet fragmentation before encryption is enabled.
Views
System view
Default command level
2: System level
Usage guidelines
If IPsec packet fragmentation before encryption is enabled, the following occurs when an IPsec-protected
interface encapsulates a packet:
• If the packet size is less than the interface MTU, the interface directly encapsulates the packet.
• If the packet size exceeds the interface MTU, the interface first fragments and then encapsulates the
packet.
• If the packet size exceeds the interface MTU and the packet contains a DF bit, the interface directly
drops the packet and reports an ICMP message.
If IPsec packet fragmentation after encryption is enabled, an IPsec-protected interface first encapsulates
a packet, and then fragments the packet if the encapsulated packet size exceeds the interface MTU.
On an interface applied with an IPsec GDOI policy, IPsec packet fragmentation before encryption must
be enabled. Otherwise, the remote interface cannot decrypt the packets whose size is larger than the
MTU of the remote interface.
Examples
# Enable IPsec packet fragmentation before encryption.
<Sysname> system-view
[Sysname] ipsec fragmentation before-encryption enable
ipsec invalid-spi-recovery enable
Use ipsec invalid-spi-recovery enable to enable invalid security parameter index (SPI) recovery.