[x]

Configuring IPsec > Configuring IPsec fragmentation

 

 Next

Configuring IPsec fragmentation

About IPsec fragmentation

Perform this task to configure the device to fragment packets before or after IPsec encapsulation.

If you configure the device to fragment packets before IPsec encapsulation, the device predetermines the encapsulated packet size before the actual encapsulation. If the encapsulated packet size exceeds the MTU of the output interface, the device fragments the packets before encapsulation. If a packet's DF bit is set, the device drops the packet and sends an ICMP error message.

If you configure the device to fragment packets after IPsec encapsulation, the device directly encapsulates the packets and fragments the encapsulated packets in subsequent service modules.

Restrictions and guidelines

This feature takes effect on IPsec protected IPv4 packets.

Procedure

  1. Enter system view.

    system-view

  2. Configure IPsec fragmentation.

    ipsec fragmentation { after-encryption | before-encryption }

    By default, the device fragments packets before IPsec encapsulation.

prev

 

up

 next

Configuring the global IPsec SA lifetime and idle timeout 

home

 Setting the maximum number of IPsec tunnels

© Copyright 2017 Hewlett Packard Enterprise Development LP