R2511-HP MSR Router Series Security Configuration Guide(V5)
170
Enabling the encryption engine
The encryption engine is a coprocessor that provides an encryption/decryption algorithm interface for
IPsec processing.
If an encryption card is bound, IPsec processing is performed by the card as long as it operates correctly.
If the encryption card fails, the matching packets are discarded.
If no encryption card is bound, there are two cases:
• If the encryption engine is enabled, the engine takes over the responsibility of IPsec processing.
• If the encryption engine is disabled or has failed but the IPsec module backup function is enabled,
the IPsec module takes over the responsibility of IPsec processing. If the IPsec module backup
function is disabled, the matching packets are discarded.
To enable the encryption engine:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable the encryption engine.
cryptoengine enable Optional.
3. Enable the encryption engine.
cryptoengine enable [ slot
slot-number ]
Optional.
Enabling the IPsec module backup function
The following matrix shows the feature and router compatibility:
Feature MSR900 MSR93X
MSR20-1
X
MSR20 MSR30 MSR50 MSR1000
Enabling
the IPsec
module
backup
function
No Yes No Yes Yes Yes No
To enable the IPsec module backup function:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable the IPsec module
backup function.
ipsec cpu-backup enable Enabled by default.
Configuring the IPsec session idle timeout
An IPsec session is created when the first packet matching an IPsec policy arrives. Also created is an IPsec
session entry, which records the quintuplet (source IP address, destination IP address, protocol number,
source port, and destination port) and the matched IPsec tunnel.
An IPsec session is automatically deleted after the idle timeout expires.