R3303-HP 6600/HSR6600 Routers Security Configuration Guide
273
Ste
p
Command
Remarks
2. Enable IPsec packet
fragmentation before or after
encryption.
• Enable IPsec packet
fragmentation before
encryption:
ipsec fragmentation
before-encryption enable
• Enable IPsec packet
fragmentation after encryption:
undo ipsec fragmentation
before-encryption enable
Use either command.
By default, IPsec packet
fragmentation before encryption is
enabled.
Only the tunnel encapsulation
mode supports IPsec packet
fragmentation before encryption.
Implementing tunnel interface-based IPsec
The following is the generic configuration procedure for implementing tunnel interface-based IPsec:
1. Configure an IPsec transform set to specify the security protocols and authentication and
encryption algorithms, and encapsulation mode.
2. Configure an IPsec profile to associate data flows with the IPsec transform set, and to specify the
IKE peer parameters and the SA lifetime.
3. Configure an IPsec tunnel interface and apply the IPsec profile to the interface.
NOTE:
Because packets routed to the IPsec tunnel interface are all protected, the data protection scope, which is
required for IPsec policy configuration, is not needed in the IPsec profile.
Complete the following tasks to configure tunnel interface-based IPsec:
Task Remarks
Configuring an IPsec transform set
Required.
An IPsec transform set for the IPsec
tunnel interface to reference
supports tunnel mode only.
Configuring an IPsec profile Required.
Configuring an IPsec tunnel interface Required.
Enabling packet information pre-extraction on the IPsec tunnel interface Optional.
Applying a QoS policy to an IPsec tunnel interface Optional.
Enabling the encryption engine Optional.
Configuring the IPsec anti-replay function Optional.
Configuring an IPsec profile
An IPsec policy is uniquely identified by its name and sequence number. An IPsec policy group is a
collection of IPsec policies with the same name but different sequence numbers. In an IPsec policy group,
an IPsec policy with a smaller sequence number has a higher priority. After an IPsec policy group is