ipsec flow-overlap check enable

Function

The ipsec flow-overlap check enable command enables detection of overlapping IPsec flows.

The undo ipsec flow-overlap check enable command disables detection of overlapping IPsec flows.

By default, detection of overlapping IPsec flows is disabled.

This command is supported only on the NetEngine 8000 F1A.

Format

ipsec flow-overlap check enable

undo ipsec flow-overlap check enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
ike write

Usage Guidelines

Usage Scenario

When IPsec is deployed on a mobile bearer network, new base stations are usually added during network upgrade and capacity expansion, and the device needs to interconnect with these new base stations. In this case, you can enable detection of overlapping IPsec flows so that the device can detect whether to-be-encrypted data flows generated by the new tunnel overlap with existing ones after IKE negotiation. If no, the new tunnel is successfully established. If yes, the new tunnel fails to be established. This requires you analyze the device networking, and plan and deliver more reasonable ACL configurations.

Precautions

  • This function does not support NAT traversal.
  • This function affects the device performance. You are advised to disable this function when the network operation is stable (without such operations as upgrade or capacity expansion).
  • Disable this function immediately after you complete such operations as upgrade or capacity expansion.

Example

# Enable detection of overlapping IPsec flows.
<HUAWEI> system-view
[~HUAWEI] ipsec flow-overlap check enable
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >