No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring IPSec Fragmentation Before Encryption

(Optional) Configuring IPSec Fragmentation Before Encryption


The length of IPSec-encapsulated packets may exceed the maximum transmission unit (MTU) of the outbound interface on the local device. If the IPSec remote device does not support fragmentation and reassembly, it cannot decapsulate packets and will discard or incorrectly process packets, affecting packet transmission.

To prevent this problem, configure IPSec fragmentation before encryption on the local device. Subsequently, the local device calculates the length of encapsulated packets. If the length exceeds the MTU, the device fragments the packets and then encapsulates each fragment. After packets reach the IPSec remote device, the remote device can decapsulate the fragments without having to reassemble them. The decapsulated packets will be forwarded normally.


  1. Run system-view

    The system view is displayed.

  2. Run ipsec fragmentation before-encryption

    The fragmentation mode of packets is set to fragmentation before encryption for all IPSec tunnels.

    By default, the packet fragmentation mode for all IPSec tunnels is fragmentation after encryption.

    The DF flag in IPSec packets determines whether IPSec packets can be fragmented. If DF flag settings disable fragmentation when the fragmentation mode is used, run the ipsec df-bit { clear | set | copy } command in the system view to enable fragmentation on IPSec packets.

    For the established IPSec tunnels, you need to restart them after running this command. Otherwise, the command function does not take effect.

Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 151067

Downloads: 367

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next