R21xx-HP FlexFabric 11900 Security Command Reference
213
one interface fails and a link failover occurs, the other interface needs to take some time to re-negotiate
SAs, resulting in service interruption.
To solve the problems, bind a source interface to an IPsec policy and apply the policy to both interfaces.
This enables the two physical interfaces to use the same source interface to negotiate IPsec SAs. As long
as the source interface is up, the negotiated IPsec SAs will not be removed and will keep working,
regardless of link failover.
After an IPsec policy is applied to a service interface and IPsec SAs have been established, if you bind
the IPsec policy to a source interface, the existing IPsec SAs are deleted.
Only the IKE-based IPsec policies can be bound to a source interface.
An IPsec policy can be bound to only one source interface. To bind an IPsec policy to another source
interface, you must first remove the current binding.
A source interface can be bound to multiple IPsec policies.
HP recommends using a stable interface, such as a Loopback interface, as a source interface.
Examples
# Bind the IPsec policy map to source interface Loopback 11.
<Sysname> system-view
[Sysname] ipsec policy map local-address loopback 11
Related commands
ipsec { ipv6-policy | policy }
ipsec { ipv6-policy-template | policy-template } policy-template
Use ipsec { ipv6-policy-template | policy-template } to create an IPsec policy template, and enter IPsec
policy template view.
Use undo ipsec { ipv6-policy-template | policy-template } to delete the specified IPsec policy template.
Syntax
ipsec { ipv6-policy-template | policy-template } template-name seq-number
undo ipsec { ipv6-policy-template | policy-template } template-name [ seq-number ]
Default
No IPsec policy template is created.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6-policy-template: Specifies an IPv6 IPsec policy template.
policy-template: Specifies an IPv4 IPsec policy template.
template-name: Specifies a name for the IPsec policy template, a case-sensitive string of 1 to 64
characters.