ipsec fragmentation before-encryption
Function
The ipsec fragmentation before-encryption command configures a device to fragment IPSec packets and then encrypts the packet fragments in a specified IPSec policy view.
The undo ipsec fragmentation before-encryption command cancels the configuration.
By default, a device encrypts and then fragments IPSec packets.
This command is supported only on the NetEngine 8000 F1A.
Usage Guidelines
Usage Scenario
By default, a device encrypts and then fragments an IPsec packet in a specified IPsec policy view. The remote device decrypts the IPsec packet only after having received all packet fragments. After the ipsec fragmentation before-encryption command is run, a device fragments an IPsec packet and then encrypts the packet fragments. The remote device then decrypts every fragment as soon as the fragment is received. This speeds up packet parsing by the remote device.
Configuration Impact
If both the ipsec fragmentation before-encryption and ipsec global fragmentation before-encryption commands are run, the ipsec fragmentation before-encryption command preferentially takes effect.
After the undo ipsec fragmentation before-encryption command is run, the ipsec global fragmentation before-encryption command configuration takes effect.Precautions
Before running the ipsec fragmentation before-encryption command, enter the tunnel interface view to cancel the IPsec policy if there is only on the tunnel interface. After running the ipsec fragmentation before-encryption command, apply the IPsec policy to the tunnel interface to make the policy to take effect.
If the ipsec fragmentation before-encryption command is run, the ipsec df-bit clear command must also be run to enable IPsec packet fragmentation.