Manualshelf

R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router
181182183184185186187188189190
175
IPsec RRI can operate in both tunnel mode and transport mode.
When you change the route attributes, static IPsec RRI deletes all static routes it has created and creates
new static routes. In contrast, dynamic IPsec RRI applies the new attributes only to subsequent static routes.
It does not delete or modify static routes it has created.
Enabling transparent data transmission without NAT
By default, if an interface is configured with both NAT and IPsec, the outgoing packets on the interface
are processed by NAT and then IPsec.
In some special scenarios, NAT is not required before IPsec processing. You can use this feature to enable
transparent data transmission without NAT for the interface.
To enable transparent data transmission without NAT:
Ste
p
Command
Remarks
1. Enter system view.
system-view
N/A
2. Enable transparent data
transmission without NAT.
ipsec no-nat-process enable
Optional.
Disabled by default.
Enabling fragmentation before/after encryption
If the size of a packet exceeds the interface MTU after the packet is encapsulated:
If fragmentation before encryption is enabled, the packet is fragmented first and then encapsulated.
If fragmentation after encryption is enabled, the packet is encapsulated first and then fragmented.
If a GDOI IPsec policy entry is applied to an interface of the device, you must enable fragmentation
before encryption. Otherwise, packets fragmented after encapsulation at the local end cannot be
reassembled at the remote end, resulting in a decryption failure. For more information about GDOI IPsec
policies, see "Configuring group encrypted transport VPN."
To enable fragmentation before/after encryption:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable fragmentation
before/after encryption.
To enable fragmentation before
encryption:
ipsec fragmentation
before-encryption enable
To enable fragmentation after
encryption:
undo ipsec fragmentation
before-encryption enable
Use either command as needed.
By default, fragmentation after
encryption is enabled.
The IPsec transport mode does not
support fragmentation before
encryption.
Implementing tunnel interface-based IPsec
The following is the generic configuration procedure for implementing tunnel interface-based IPsec: