Enabling invalid spi recovery, Configuring ipsec rri, Static ipsec rri – H3C Technologies H3C SecPath F1000-E User Manual

184

Step Command

Remarks

3.

Enable packet information
pre-extraction.

qos pre-classify

Disabled by default.

Enabling invalid SPI recovery

When the security gateway at one end of an IPsec tunnel loses its SAs due to rebooting or any other

reason, its peer security gateway may not know the problem and send IPsec packets to it. These packets

will be discarded by the receiver because the receiver cannot find appropriate SAs for them, resulting in

a traffic blackhole. This situation changes only after the concerned SAs on the sender get aged out and
new SAs are established between the two peers. To prevent such service interruption, configure the

invalid SPI recovery feature.
The invalid SPI recovery feature allows the receiver to send an INVALID SPI NOTIFY message to tell the

sender the invalid SPIs. Upon receiving the message, the sender immediately deletes the corresponding
SAs. The subsequent traffic triggers the two peers to set up new SAs for data transmission.
Because attackers may exploit INVALID SPI NOTIFY messages to attack the IPsec packet sender (DoS

attack), the invalid SPI recovery feature is disabled by default, making the receiver discard packets with

invalid SPIs.
To enable invalid SPI recovery:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable invalid SPI recovery.

ipsec invalid-spi-recovery enable

Optional.
Disabled by default.

Configuring IPsec RRI

IPsec RRI works in static mode or dynamic mode.

Static IPsec RRI

Static IPsec RRI creates static routes based on the destination address information in the ACL that the IPsec

policy references. The next hop address of the route is a user specified remote peer address, or the IP
address of the remote tunnel endpoint.
Static IPsec RRI creates static routes immediately after you enable IPsec RRI in an IPsec policy and apply

the IPsec policy. When you disable RRI, or remove the ACL or the peer gateway IP address from the policy,

IPsec RRI deletes all static routes it has created.
The static mode applies to scenarios where the topologies of branch networks seldom change.

Dynamic IPsec RRI

Dynamic IPsec RRI dynamically creates static routes based on IPsec SAs. In each static route, the

destination address is the address of a protected branch network, and the next hop is the user-specified

remote peer address or the remote tunnel endpoint’s address learned during IPsec SA negotiation.
Dynamic IPsec RRI creates static routes when the IPsec SAs are established, and deletes the static routes

when the IPsec SAs are deleted.