No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

AR500, AR510, and AR530 V200R007

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ipsec policy shared

ipsec policy shared

Function

The ipsec policy shared command configures a multi-link shared IPSec policy group.

The undo ipsec policy shared command cancels the configuration.

By default, no multi-link shared IPSec policy group is configured.

Format

ipsec policy policy-name shared local-interface loopback interface-number

undo ipsec policy policy-name shared

Parameters

Parameter

Description

Value

policy-name

Specifies the name of an IPSec policy. The IPSec policy must have been configured in the system view.

The value is a string of 1 to 15 case-sensitive characters without question marks (?) or spaces.

interface-number

Specifies the loopback interface number. The loopback interface must have been created.

The value is an integer that ranges from 0 to 1023.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To improve network reliability, the enterprise gateway often connects to the Internet Service Provider (ISP) through two egress links, which work in backup or load balancing mode. When two outbound interfaces are configured with IPSec policies with the same parameter settings, services need to be smoothly switched between the two links corresponding to the two outbound interfaces. The two outbound interfaces negotiate with their peers to establish IPSec SAs respectively. When one interface alternates between Up and Down states and an active/standby switchover occurs, the two peers need to perform IKE negotiate again to generate IPSec SAs. The IKE re-negotiation causes IPSec service interruption in a short time.

You can configure a multi-link shared IPSec policy group and use a loopback interface on the local device to establish an IPSec tunnel with the remote device. When an active/standby switchover occurs, IPSec services are not interrupted. The two IPSec-enabled physical interfaces share the same IPSec SA. When services are switched between links corresponding to the physical interfaces, the IPSec SA is not deleted as long as the loopback interface status remains unchanged. In addition, IKE re-negotiation is not required because the same IPSec SA is used to protect IPSec services.

Precautions

One loopback interface maps to only one multi-link shared IPSec policy group.

Example

# Configure a multi-link shared IPSec policy group named policy1.

<Huawei> system-view
[Huawei] interface loopback 0
[Huawei-LoopBack0] quit
[Huawei] ipsec policy policy1 shared local-interface loopback 0
Translation
Download
Updated: 2019-02-18

Document ID: EDOC1000097293

Views: 35610

Downloads: 101

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next