Configuring IPsec anti-replay redundancy
About IPsec anti-replay redundancy
This feature synchronizes the following information from the active device to the standby device at configurable packet-based intervals:
Lower bound values of the IPsec anti-replay window for inbound packets.
IPsec anti-replay sequence numbers for outbound packets.
This feature, used together with IPsec redundancy, ensures uninterrupted IPsec traffic forwarding and anti-replay protection when the active device fails.
Procedure
Enter system view.
system-view
Enable IPsec redundancy.
ipsec redundancy enable
By default, IPsec redundancy is disabled.
Enter IPsec policy view or IPsec policy template view.
Enter IPsec policy view.
ipsec { ipv6-policy | policy } policy-name seq-number [ isakmp | manual ]
Enter IPsec policy template view.
ipsec { ipv6-policy-template | policy-template } template-name seq-number
Set the anti-replay window synchronization interval for inbound packets and the sequence number synchronization interval for outbound packets.
redundancy replay-interval inbound inbound-interval outbound outbound-interval
By default, the active device synchronizes the anti-replay window every time it receives 1000 packets and synchronizes the sequence number every time it sends 100000 packets.