HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

181

182

183

184

185

186

187

188

189

190

175

Ste

Command

Remarks

3. Enable packet information

pre-extraction.

qos pre-classify Disabled by default.

Enabling invalid SPI recovery

When the security gateway at one end of an IPsec tunnel loses its SAs due to rebooting or any other

reason, its peer security gateway might not know the problem and send IPsec packets to it. These packets

will be discarded by the receiver because the receiver cannot find appropriate SAs for them, resulting in

a traffic blackhole. This situation changes only after the concerned SAs on the sender get aged out and

new SAs are established between the two peers. To prevent such service interruption, configure the

invalid SPI recovery feature.

The invalid SPI recovery feature allows the receiver to send an INVALID SPI NOTIFY message to tell the

sender the invalid SPIs. Upon receiving the message, the sender immediately deletes the corresponding

SAs. The subsequent traffic triggers the two peers to set up new SAs for data transmission.

Because attackers might exploit INVALID SPI NOTIFY messages to attack the IPsec packet sender (DoS

attack), the invalid SPI recovery feature is disabled by default, making the receiver discard packets with

invalid SPIs.

To enable invalid SPI recovery:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enable invalid SPI recovery.

ipsec invalid-spi-recovery enable

Optional.

Disabled by default.

Configuring IPsec RRI

IPsec RRI operates in static mode or dynamic mode.

1. Static IPsec RRI

Static IPsec RRI creates static routes based on the destination address information in the ACL that

the IPsec policy references. The next hop address of the route is a user specified remote peer

address, or the IP address of the remote tunnel endpoint.

Static IPsec RRI creates static routes immediately after you enable IPsec RRI in an IPsec policy and

apply the IPsec policy. When you disable RRI, or remove the ACL or the peer gateway IP address

from the policy, IPsec RRI deletes all static routes it has created.

The static mode applies to scenarios where the topologies of branch networks seldom change.

2. Dynamic IPsec RRI

Dynamic IPsec RRI dynamically creates static routes based on IPsec SAs. In each static route, the

destination address is the address of a protected branch network, and the next hop is the

user-specified remote peer address or the remote tunnel endpoint's address learned during IPsec

SA negotiation.

Dynamic IPsec RRI creates static routes when the IPsec SAs are established, and deletes the static

routes when the IPsec SAs are deleted.

The dynamic mode applies to scenarios where the topologies of branch networks change

frequently. For example, when branches have dial-in users, you can configure dynamic IPsec RRI

to avoid frequent configuration changes that are otherwise required on the headquarters

gateway.