R2511-HP MSR Router Series Security Command Reference(V5)
208
undo ipsec invalid-spi-recovery enable
Default
The invalid SPI recovery is disabled. The receiver discards IPsec packets with invalid SPIs.
Views
System view
Default command level
2: System level
Usage guidelines
Invalid SPI recovery enables an IPsec security gateway to send an INVALID SPI NOTIFY message to its
peer when it receives an IPsec packet but cannot find any SA with the specified SPI. When the peer
receives the message, it deletes the SAs on its side. Then, subsequent traffic triggers the two peers to
establish new SAs.
Examples
# Enable invalid SPI recovery.
<Sysname> system-view
[Sysname] ipsec invalid-spi-recovery enable
ipsec no-nat-process enable
Use ipsec no-nat-process enable to configure the interface to forward packets to IPsec transparently
without performing address translation.
Use the undo ipsec no-nat-process enable to restore the default.
Syntax
ipsec no-nat-process enable
undo ipsec no-nat-process enable
Default
If both NAT and IPsec are configured on an interface, outgoing packets on the interface will be
processed by NAT and then by IPsec.
Views
System view
Default command level
2: System level
Usage guidelines
Configure this command if you require that packets to be protected by IPsec not to be NATed.
Examples
# Configure interface Ethernet 0/0 to forward packets to IPsec transparently without performing address
translation.
<Sysname> system-view
[Sysname] interface ethernet 0/0
[Sysname-Ethernet0/0] ipsec no-nat-process enable