R2511-HP MSR Router Series Security Command Reference(V5)
207
Default command level
2: System level
Examples
# Enable ACL checking of de-encapsulated IPsec packets.
<Sysname> system-view
[Sysname] ipsec decrypt check
ipsec fragmentation before-encryption
Use ipsec fragmentation before-encryption enable to enable fragmentation before encapsulation.
Use undo ipsec fragmentation before-encryption enable to enable fragmentation after encapsulation.
Syntax
ipsec fragmentation before-encryption enable
undo ipsec fragmentation before-encryption enable
Default
Fragmentation before encapsulation is enabled.
Views
System view
Default command level
2: System level
Usage guidelines
After fragmentation before encapsulation is enabled, if the size a packet after encapsulation exceeds the
interface MTU, the interface fragments the packet before encapsulating it.
After fragmentation after encapsulation is enabled, an interface first encapsulates a packet. If the size of
the packet after encapsulation exceeds the interface MTU, it fragments the encapsulated packet.
After fragmentation before encapsulation is enabled, if a packet to be fragmented has the DF bit set, the
device drops the packet and sends an ICMP error control message.
If a GDOI IPsec policy entry is applied to an interface of the device, you must enable fragmentation
before encryption. Otherwise, packets fragmented after encapsulation at the local end cannot be
reassembled at the remote end, resulting in a decryption failure.
Examples
# Enable fragmentation before encapsulation.
<Sysname> system-view
[Sysname] ipsec fragmentation before-encryption enable
ipsec invalid-spi-recovery enable
Use ipsec invalid-spi-recovery enable to enable invalid security parameter index (SPI) recovery.
Use undo ipsec invalid-spi-recovery enable to restore the default.
Syntax
ipsec invalid-spi-recovery enable