ipsec global

Function

The ipsec global df-bit clear command sets the Don't Fragment (DF) flag bit in a packet to 0, indicating that IPSec packets can be fragmented globally.

The undo ipsec global df-bit clear command cancels the configuration.

The ipsec global fragmentation before-encryption command configures a device to fragment IPSec packets and then encrypts the packet fragments globally.

The undo ipsec global fragmentation before-encryption command cancels the configuration.

The ipsec global sm4 version command sets the SM4 version to be used for SA negotiation globally.

The undo ipsec global sm4 version command restores the global SM4 version to default configuration.

By default, the DF flag bit in a packet is not set to 0.

By default, a device encrypts and then fragments IPSec packets.

By default, the global SM4 version is standard GM/T 0022-2014.

This command is supported only on the NetEngine 8000 F1A.

Format

ipsec global df-bit clear

ipsec global fragmentation before-encryption

ipsec global sm4 version { draft-standard | standard }

undo ipsec global df-bit clear

undo ipsec global fragmentation before-encryption

undo ipsec global sm4 version { draft-standard | standard }

Parameters

Parameter	Description	Value
draft-standard	Indicates the draft standard GM/T XXXX-2013 with SM4 algorithm value 127.	-
standard	Indicates the standard GM/T 0022-2014 with SM4 algorithm value of 129.	-

Parameter

Description

Value

draft-standard

Indicates the draft standard GM/T XXXX-2013 with SM4 algorithm value 127.

standard

Indicates the standard GM/T 0022-2014 with SM4 algorithm value of 129.

Views

System view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
ike	write

Usage Guidelines

By default, a device encrypts and then fragments an IPsec packet globally. The remote device decrypts the IPsec packet only after having received all packet fragments. After the ipsec global fragmentation before-encryption command is run, a device fragments an IPsec packet and then encrypts the packet fragments. The remote device then decrypts every fragment as soon as the fragment is received. This speeds up packet parsing by the remote device.

After configuring ipsec global fragmentation before-encryption command, ensure to run ipsec global df-bit clear command to set the DF flag bit to 0 to enable IPSec packet fragmentation. If the ipsec global fragmentation before-encryption command is not used together with the ipsec global df-bit clear command, the DF flag bit in a packet may be set to 1 (indicating that IPSec packets cannot be fragmented), causing a configuration failure of the ipsec global fragmentation before-encryption command.

During the actual use, the SM4 algorithm on some devices follows the draft standard GM/T XXXX-2013, while the SM4 algorithm on router follows the standard GM/T 0022-2014, which will lead to a communication failure. To solve this problem, you can configure the SM4 algorithm on router to follow the draft standard GM/T XXXX-2013.

Example

# Set the global SM4 algorithm to be draft standard GM/T XXXX-2013.

<HUAWEI> system-view
[~HUAWEI] ipsec global sm4 version draft-standard

# Configure a device to fragment IPSec packets and then encrypt the packet fragments globally.

<HUAWEI> system-view
[~HUAWEI] ipsec global fragmentation before-encryption

# Configure the IPSec packet fragmentation function globally.

<HUAWEI> system-view
[~HUAWEI] ipsec global df-bit clear