4000 Router Series Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router

161

162

163

164

165

166

167

168

169

170

157

Ste

Command

Remarks

3. Configure the DF bit of

IPsec packets on the

interface.

ipsec df-bit { clear | copy | set }

By default, the interface uses the

global DF bit setting.

To configure the DF bit of IPsec packets globally:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Configure the DF bit of

IPsec packets globally.

ipsec global-df-bit { clear | copy | set }

By default, IPsec copies the DF bit

in the original IP header to the

new IP header.

Configuring IPsec RRI

After you enable IPsec RRI for an IPsec policy or an IPsec policy template on a gateway device at the

headquarters side in an IPsec VPN, the device automatically creates a static route when an IPsec SA is

created according to this IPsec policy or IPsec policy template. In the static route, the destination IP

address is the protected peer private network, and the next hop is the IP address of the remote tunnel

interface.

You can set preferences for the static routes created by IPsec RRI to flexibly apply route management

policies. For example, you can set the same preference for multiple routes to the same destination to

implement load sharing, or different preferences to implement route backup.

You can also set tags for the static routes created by IPsec RRI to implement flexible route control through

routing policies.

Configuration guidelines

Enabling or disabling IPsec RRI for an IPsec policy makes the device delete all IPsec SAs created by this

IPsec policy, and the associated static routes.

If you change the preference value or tag value for an IPsec policy, the device deletes all IPsec SAs

created by this IPsec policy, and the associated static routes. Your change takes effect for later IPsec

RRI-created static routes.

With IPsec RRI enabled, the device does not add a route whose destination address is 0.0.0.0/0 to the

routing table when generating the route. Therefore, the route for the IPsec tunnel does not exist. When

deleting the route, the removal of the route is not triggered.

Configuration procedure

To configure IPsec RRI:

Ste

Command

Remarks

1. Enter system view.

system-view N/A