Feature Requirements |
Series |
Models |
|---|---|---|
GRE over IPsec does not support dual-system hot backup or the path MTU. Impact: User traffic cannot be forwarded. |
NetEngine 8000 F |
NetEngine 8000 F1A |
In an IPsec over L2TP scenario, the device supports L2TPv2 rather than L2TPv3 and can function as the LNS rather than the LAC. In addition, the device does not support dual-system hot backup. Impact: User traffic cannot be forwarded. |
NetEngine 8000 F |
NetEngine 8000 F1A |
If the RSVP-TE Hello capability is not configured on the RSVP-TE tunnel, the mpls rsvp-te hello support-peer-gr command functionality fails. When the RSVP node performs a master/slave main control board switchocver, the RSVP adjacency between the local node and its neighbor node is torn down because of the signaling protocol timeout. As a result, a CR-LSP is torn down, and services transmitted over the CR-LSP are interrupted. Impact: User traffic cannot be forwarded. |
NetEngine 8000 F |
NetEngine 8000 F1A |
After an IPsec tunnel interface borrows the IP address from another interface, the interface that lends its IP address cannot carry other services because it cannot receive or send multicast or broadcast packets. Impact: Services on the interface that lends its IP address are affected. Guidelines: Properly plan the network and do not configure other services on the interface that lends its IP address. |
NetEngine 8000 F |
NetEngine 8000 F1A |
IKE IPsec supports only the tunnel mode, and manual IPsec supports only the transfer mode. Impact: Traffic is interrupted. Guidelines: Select the correct tunnel mode. |
NetEngine 8000 F |
NetEngine 8000 F1A |
IPsec does not support traffic forwarding through the management network interface or a global-VE interface. Impact: User traffic cannot be forwarded on the specified interfaces. Guidelines: Properly plan the network. |
NetEngine 8000 F |
NetEngine 8000 F1A |
The ACL and IKE peer are required in an IPsec policy. The VPN configured in an ACL rule must be the same as the VPN that is bound to the IKE peer. Impact: IPsec traffic forwarding fails when the configurations are not the same. Guidelines: Ensure that the VPN that is bound to the IKE peer is the same as the VPN configured in the ACL rule. |
NetEngine 8000 F |
NetEngine 8000 F1A |
ACL rules used for IPsec negotiation, filtering, or mirroring do not support discontinuous masks (where 0s or 1s are discontinuous, such as 255.0.255.0). Impact: IPsec negotiation, filtering, or mirroring does not take effect if discontinuous masks are used in ACL rules. |
NetEngine 8000 F |
NetEngine 8000 F1A |
The ACL rules used for IPsec negotiation, traffic filtering or mirroring must be based on an IP quintuple or VPN instance. Port matching supports only the EQ mode. After port matching in EQ mode is configured, non-first fragments cannot match the ACL. Impact: ACL rules that are not based on an IP quintuple or VPN instance cannot be used for IPsec traffic filtering or mirroring. After port matching in EQ mode is configured, non-first fragments cannot match the ACL. Port matching in a non-EQ mode does not take effect. |
NetEngine 8000 F |
NetEngine 8000 F1A |
IPsec tunnel routes and the routes to the remote end through IPsec tunnels do not support load balancing. Impact: IPsec traffic forwarding is adversely affected. Guidelines: Configure only one route for directing traffic to the local tunnel. |
NetEngine 8000 F |
NetEngine 8000 F1A |
As a security gateway, when IPsec supports the plug-and-play function, the ciphertext-side route can be only the IPv4 single-next-hop route. If the route has multiple next hops, select only one outbound interface for forwarding. The plug-and-play function supports only the interconnection with Huawei base stations. It does not support re-negotiation as well as the scenario in which multiple IPsec SAs are negotiated in one IKE SA. It does not support MPLS forwarding. The plug-and-play function supports only such types of ciphertext-side outbound interfaces: Ethernet physical interface, Ethernet physical sub-interface, Eth-Trunk interface, and Eth-Trunk sub-interface. The plug-and-play function does not support dual-device hot backup, the distributed board, or non-template mode. Impact: Only specific scenarios are supported. Guidelines: Use VPNs for isolation. |
NetEngine 8000 F |
NetEngine 8000 F1A |
If a certificate has been imported or deleted or a key has been created or deleted in the target version, the device certificate and key must be deleted before a version downgrade. Functions are not affected by the version downgrade only if the ca_config.ini file is empty. Impact: If the certificate or key is not deleted and information remains in the ca_config.ini file before a downgrade, a failure to update the ca_config.ini file occurs after the same key or certificate is created in the source version. As a result, the certificate or key configuration file is lost after the device is restarted. |
NetEngine 8000 F |
NetEngine 8000 F1A |
Before pinging a protection tunnel on the IPsec gateway, specify the source IP address (to be specific, specify a). Pinging the protection tunnel by specifying the peer tunnel interface as the next hop IP address (to be specific, specify nexthop) is not supported. Impact: After the next hop is specified, packets are forwarded based on the next hop and fail to enter the IPsec tunnel. Guidelines: Do not ping the protection tunnel by specifying the peer tunnel interface as the next hop IP address (to be specific, specify nexthop). |
NetEngine 8000 F |
NetEngine 8000 F1A |
When configuring static routes to direct IPsec traffic into IPsec tunnels, you need to specify an IPsec tunnel interface as the outbound interface and configure the remote address as a next-hop address in the static routes. Impact: User traffic cannot be forwarded. |
NetEngine 8000 F |
NetEngine 8000 F1A |
When multiple initiators negotiate with the same responder, the ACL rules of each initiator cannot overlap those of any other initiator. Impact: If rules overlap, some overlapping traffic cannot be properly encrypted, causing services to be compromised. Guidelines: Modify the conflicting traffic protection rule of the involved initiator. |
NetEngine 8000 F |
NetEngine 8000 F1A |