268
Enabling logging of IPsec packets
Perform this task to enable the logging of IPsec packets that are discarded because of reasons such as
IPsec SA lookup failure, AH-ESP authentication failure, and ESP encryption failure. The log information
includes the source and destination IP addresses, the SPI value, and the sequence number of a discarded
IPsec packet, and the reason for the failure.
To enable the logging of IPsec packets:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable the logging of IPsec
packets.
ipsec logging packet enable
By default, the logging of IPsec
packets is disabled.
Configuring the DF bit of IPsec packets
Perform this task to configure the Don't Fragment (DF) bit in the new IP header of IPsec packets in one of
the following ways:
• clear—Clears the DF bit in the new header.
• set—Sets the DF bit in the new header.
• copy—Copies the DF bit in the original IP header to the new IP header.
You can configure the DF bit in system view and interface view. The interface-view DF bit setting takes
precedence over the system-view DF bit setting. If the interface-view DF bit setting is not configured, the
interface uses the system-view DF bit setting.
Follow these guidelines when you configure the DF bit:
• The DF bit setting takes effect only in tunnel mode, and it changes the DF bit in the new IP header
rather than the original IP header.
• Configure the same DF bit setting on the interfaces where the same IPsec policy bound to a source
interface has been applied.
To configure the DF bit of IPsec packets on an interface:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Configure the DF bit of
IPsec packets on the
interface.
ipsec df-bit { clear | copy | set }
By default, the interface uses the
global DF bit setting.
To configure the DF bit of IPsec packets globally:
To Next Page
Loading...
Need help?
General