Binding a source interface to an IPsec policy
About source interface and IPsec policy binding
For high availability, a core device is usually connected to an ISP through two links, which operate in backup or load sharing mode. The two interfaces negotiate with their peers to establish IPsec SAs respectively. When one interface fails and a link failover occurs, the other interface needs to take some time to renegotiate SAs, resulting in service interruption.
To solve these problems, bind a source interface to an IPsec policy and apply the policy to both interfaces. This enables the two physical interfaces to use the same source interface to negotiate IPsec SAs. As long as the source interface is up, the negotiated IPsec SAs will not be removed and will keep working, regardless of link failover.
Restrictions and guidelines
Only the IKE-based IPsec policies can be bound to a source interface.
An IPsec policy can be bound to only one source interface.
A source interface can be bound to multiple IPsec policies.
If the source interface bound to an IPsec policy is removed, the IPsec policy becomes a common IPsec policy.
If no local address is specified for an IPsec policy that has been bound to a source interface, the IPsec policy uses the IP address of the bound source interface to perform IKE negotiation. If a local address is specified, the IPsec policy uses the local address to perform IKE negotiation.
Procedure
Enter system view.
system-view
Bind a source interface to an IPsec policy.
ipsec { ipv6-policy | policy } policy-name local-address interface-type interface-number
By default, no source interface is bound to an IPsec policy.