The overlapping IPsec flow detection function takes effect only for template IPsec policies.
When IPsec is deployed on a mobile bearer network, new base stations are usually added for network upgrade and capacity expansion, and the device needs to interconnect with these new base stations. This is typically a complex scenario involving a large number of base stations. The data flows configured and negotiated for encryption may overlap with existing data flows, causing IPsec service faults. After these faults occur, queried tunnel status information is normal and packets will still be forwarded without being dropped. Fault location becomes difficult and time-consuming.
This function applies only to new IPsec tunnels and detects overlapping data flows between new IPsec tunnels and existing IPsec tunnels that are established in the same VPN instance as new IPsec tunnels. This function supports the detection of the source IP address/address group, destination IP address/address group, source port range, destination port range, protocol, and DSCP fields. Overlapping flow detection cannot be performed on existing or renegotiated IPsec tunnels or delivered ACL configurations.
The system view is displayed.
Detection of overlapping IPsec flows is enabled.
If overlapping flows are detected, re-plan and deliver more refined ACL configurations to prevent IPsec service faults caused by overlapping flows.