R3303-HP HSR6800 Routers Security Configuration Guide
262
When you change the route attributes, static IPsec RRI deletes all static routes it has created and creates
new static routes. In contrast, dynamic IPsec RRI applies the new attributes only to subsequent static routes.
It does not delete or modify static routes it has created.
Enabling IPsec packet fragmentation before/after encryption
When IPsec packet fragmentation before encryption is enabled, an IPsec-protected interface first
fragments and then encapsulates the packet if the packet size exceeds the interface MTU.
When IPsec packet fragmentation after encryption is enabled, an IPsec-protected interface first
encapsulates a packet, and then fragments the packet if the encapsulated packet size exceeds the
interface MTU.
On an interface applied with an IPsec GDOI policy, IPsec packet fragmentation before encryption must
be enabled. Otherwise, the remote interface cannot decrypt the packets whose size is larger than the
MTU of the remote interface. For more information about GDOI, see "Configuring group Domain VPN."
To enable IPsec packet fragmentation before or after encryption
:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2.
Enable IPsec packet
fragmentation before or after
encryption.
• Enable IPsec packet
fragmentation before
encryption:
ipsec fragmentation
before-encryption enable
• Enable IPsec packet
fragmentation after encryption:
undo ipsec fragmentation
before-encryption enable
Use either command.
By default, IPsec packet
fragmentation before encryption is
enabled.
Only the tunnel encapsulation
mode supports IPsec packet
fragmentation before encryption.
Implementing tunnel interface-based IPsec
The following is the generic configuration procedure for implementing tunnel interface-based IPsec:
1. Configure an IPsec transform set to specify the security protocols and authentication and
encryption algorithms, and encapsulation mode.
2. Configure an IPsec profile to associate data flows with the IPsec transform set, and to specify the
IKE peer parameters and the SA lifetime.
3. Configure an IPsec tunnel interface and apply the IPsec profile to the interface.
NOTE:
Because packets routed to the IPsec tunnel interface are all protected, the data protection scope, which is
required for IPsec policy configuration, is not needed in the IPsec profile.
Complete the following tasks to configure tunnel interface-based IPsec: