Configuring IPsec anti-replay redundancy

This feature synchronizes the following information from the master device to all subordinate devices in an IRF fabric at configurable packet-based intervals:

Lower bound values of the IPsec anti-replay window for inbound packets.
IPsec anti-replay sequence numbers for outbound packets.

This feature, used together with IPsec redundancy, ensures uninterrupted IPsec traffic forwarding and anti-replay protection when the master device in an IRF fabric fails.

To configure IPsec anti-replay redundancy:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable IPsec redundancy.	ipsec redundancy enable	By default, IPsec redundancy is disabled.
3. Enter IPsec policy view or IPsec policy template view.	Enter IPsec policy view:ipsec { policy \| ipv6-policy } policy-name seq-number [ isakmp \| manual ] Enter IPsec policy template view:ipsec { policy-template \| ipv6-policy-template } template-name seq-number	N/A
4. Set the anti-replay window synchronization interval for inbound packets and the sequence number synchronization interval for outbound packets.	redundancy replay-interval inbound inbound-interval outbound outbound-interval	By default, the master device synchronizes the anti-replay window every time it receives 1000 packets and the sequence number every time it sends 100000 packets.

prev	up	next
Configuring IPsec anti-replay	home	Binding a source interface to an IPsec policy