Manualshelf

R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
271272273274275276277278279280
260
For more information about QoS policy and classification, see ACL and QoS Configuration Guide.
To configure packet information pre-extraction:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter IPsec policy view or
IPsec policy template view.
To enter IPsec policy view:
ipsec policy policy-name
seq-number [ isakmp |
manual ]
To enter IPsec policy template
view:
ipsec policy-template
template-name seq-number
Use either command.
3. Enable packet information
pre-extraction.
qos pre-classify Disabled by default.
Enabling invalid SPI recovery
When the security gateway at one end of an IPsec tunnel loses its SAs due to rebooting or any other
reason, its peer security gateway might not know the problem and send IPsec packets to it. These packets
will be discarded by the receiver because the receiver cannot find appropriate SAs for them, resulting in
a traffic blackhole. This situation changes only after the concerned SAs on the sender get aged out and
new SAs are established between the two peers. To prevent such service interruption, configure the
invalid SPI recovery feature.
The invalid SPI recovery feature allows the receiver to send an INVALID SPI NOTIFY message to tell the
sender the invalid SPIs. Upon receiving the message, the sender immediately deletes the corresponding
SAs. The subsequent traffic triggers the two peers to set up new SAs for data transmission.
Because attackers might exploit INVALID SPI NOTIFY messages to attack the IPsec packet sender (DoS
attack), the invalid SPI recovery feature is disabled by default, making the receiver discard packets with
invalid SPIs.
To enable invalid SPI recovery:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable invalid SPI recovery.
ipsec invalid-spi-recovery enable
Optional.
Disabled by default.
Configuring IPsec RRI
IPsec RRI operates in static mode or dynamic mode.
Static IPsec RRI
Static IPsec RRI creates static routes based on the destination address information in the ACL that the IPsec
policy references. The next hop address of the route is a user specified remote peer address, or the IP
address of the remote tunnel endpoint.