314
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enable IPsec redundancy.
ipsec redundancy enable
By default, IPsec redundancy is
disabled.
3. Enter IPsec policy view or
IPsec policy template view.
• Enter IPsec policy view:
ipsec { policy | ipv6-policy }
policy-name seq-number
[ isakmp | manual ]
• Enter IPsec policy template
view:
ipsec { policy-template |
ipv6-policy-template }
template-name seq-number
N/A
4. Set the anti-replay window
synchronization interval for
inbound packets and the
sequence number
synchronization interval for
outbound packets.
redundancy replay-interval
inbound
inbound-interval
outbound
outbound-interval
By default, the active device
synchronizes the anti-replay
window every time it receives
1000 packets and the sequence
number every time it sends
100000 packets.
Binding a source interface to an IPsec policy
For high availability, a core device is usually connected to an ISP through two links, which operate in
backup or load sharing mode. The two interfaces negotiate with their peers to establish IPsec SAs
respectively. When one interface fails and a link failover occurs, the other interface needs to take
some time to renegotiate SAs, resulting in service interruption.
To solve these problems, bind a source interface to an IPsec policy and apply the policy to both
interfaces. This enables the two physical interfaces to use the same source interface to negotiate
IPsec SAs. As long as the source interface is up, the negotiated IPsec SAs will not be removed and
will keep working, regardless of link failover.
Follow these guidelines when you perform this task:
• Only the IKE-based IPsec policies can be bound to a source interface.
• An IPsec policy can be bound to only one source interface.
• A source interface can be bound to multiple IPsec policies.
• If the source interface bound to an IPsec policy is removed, the IPsec policy becomes a
common IPsec policy.
• If no local address is specified for an IPsec policy that has been bound to a source interface, the
IPsec policy uses the IP address of the bound source interface to perform IKE negotiation. If a
local address is specified, the IPsec policy uses the local address to perform IKE negotiation.
To bind a source interface to an IPsec policy:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Bind a source interface to an
IPsec policy.
ipsec
{
ipv6-policy
|
policy
}
policy-name
local-address
interface-type interface-number
By default, no source interface is
bound to an IPsec policy.
To Next Page
Loading...
Need help?
General