Enabling the ipsec module backup function, Configuring the ipsec session idle timeout – H3C Technologies H3C SecPath F1000-E User Manual

17

•

If the encryption engine is enabled, the engine takes over the responsibility of IPsec processing;

•

If the encryption engine is disabled or has failed, the matching packets are discarded.

Follow these steps to enable the encryption engine:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enable the encryption engine

cryptoengine enable

Optional
By default, the encryption engine is
enabled.

Enabling the IPsec Module Backup Function

Follow these steps to enable the IPsec module backup function:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enable the IPsec module backup
function

ipsec cpu-backup enable

Required
Enabled by default

Configuring the IPsec Session Idle Timeout

NOTE:

F5000-A5 firewall does not support this feature.

An IPsec session is created when the first packet matching an IPsec policy arrives. Also created is an IPsec
session entry, which records the quintuplet (source IP address, destination IP address, protocol number,

source port, and destination port) and the matched IPsec tunnel.
An IPsec session is automatically deleted after the idle timeout expires.
Subsequent data flows search the session entries according to the quintuplet to find a matched item. If

found, the data flows are processed according to the tunnel information; otherwise, they are processed

according to the original IPsec process: search the policy group or policy at the interface, and then the
matched tunnel.
The session processing mechanism of IPsec saves intermediate matching procedures and therefore

improves IPsec forwarding efficiency.
Follow these steps to set the IPsec session idle timeout:

To do…

Use the command…

Remark

Enter system view

system-view

—

Set the IPsec session idle timeout

ipsec session idle-time seconds

Optional
300 seconds by default