R2511-HP MSR Router Series Security Configuration Guide(V5)
172
IMPORTANT:
• IPsec anti-replay checking is enabled by default. Do not disable it unless it needs to be disabled.
• A wider anti-replay window results in higher resource cost and more system performance de
g
radation,
which is against the original intention of the IPsec anti-replay function. Specify an anti-replay window
size that is as small as possible.
To configure IPsec anti-replay checking:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable IPsec anti-replay
checking.
ipsec anti-replay check
Optional.
Enabled by default.
3. Set the size of the IPsec
anti-replay window.
ipsec anti-replay window width
Optional.
32 by default.
Configuring a shared source interface policy group
For higher network reliability, a core device is usually connected to the ISP through two links, which
operate in backup or load sharing mode. If you apply different IPsec policy groups to the two interfaces,
the two interfaces negotiate with their peers to establish IPsec SAs respectively. In this case, when one
interface fails and failover occurs, the other interface needs to take some time to negotiate SAs first,
resulting in service interruption. In addition, you must make sure that the IPsec policy groups use the same
encryption policy.
To solve the problems, configure a shared source interface policy group and apply it to both interfaces.
This enables the two physical interfaces to use the same source interface to negotiate IPsec SAs
dynamically. As long as the source interface stays up, the negotiated IPsec SAs will not be removed and
will keep working, regardless of which physical interface or link is functioning.
Only loopback interfaces can act as source interfaces.
To configure an IPsec policy group as a shared source interface policy group:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Configure an IPsec policy
group as a shared source
interface policy group.
ipsec policy policy-name
local-address loopback number
By default, an IPsec policy group is
not a shared source interface
policy group.
One shared source interface policy group can be bound to only one source interface, and one source
interface can be bound with only one shared source interface policy group.
When you delete a loopback interface that is bound with a shared source interface policy group, the
configuration of the shared source interface policy group is removed and the policy group becomes a
normal IPsec policy group.
If the shared source interface has both primary and secondary IP addresses configured, the primary IP
address is used for IKE negotiation. The local IP address configured by using the local-address command
in IKE peer view does not take effect.