(Optional) Configuring Detection of Overlapping IPSec Flows

The device detects whether the data flows generated by a newly created IPSec tunnel for encryption overlap. If these data flows overlap with existing ones, the newly created IPSec tunnel is removed to prevent IPSec service faults due to overlapping.

Context

In an LTE IPSec scenario, new base stations are usually added during network upgrade and capacity expansion, and the firewall is required to interconnect with these new base stations. This is typically a complex scenario involving a large number of base stations. The data flows configured and negotiated by the network administrator for encryption may overlap with existing data flows and cause IPSec service faults. When these faults occur, the tunnel output information remains normal and packets are still properly forwarded (without being dropped). This causes fault locating and processing to be difficult and time-consuming.

Configure detection of overlapping IPSec flows so that the device can detect whether the data flows generated by the new tunnel for encryption overlap with existing ones after IKE negotiation:

If no, the new tunnel is successfully established.
If yes, the new tunnel fails to be established, and the device sends an alarm.

This function supports the detection of the Source Address/Address-set, Destination Address/Address-set, Source Port, Destination Port, Protocol, and DSCP Priority fields.

Precautions

This function affects device performance. You are advised to disable this function when the network is stable and upgrades or capacity expansions are not occurring.
Disable this function immediately after you complete operations such as upgrade or capacity expansion.

Restrictions

This function supports only IPv4.
This function applies to the template end (that is, IPSec security policy in policy template mode). Applying this function to a non-template end is not recommended.
This function supports overlapping packet detection only for newly created IPSec tunnels.
This function supports overlapping packet detection only on tunnels on the same interface and in the same VPN instance as newly created IPSec tunnels.
This function does not support overlapping detection on delivered ACL configurations.
This function does not support overlapping packet detection on IPSec tunnels generated through renegotiation.
During negotiation between the local end and peer devices with the same IP address (for example, in a P2MP scenario, two peer devices use the same post-NAT IP address), the local device does not perform flow overlapping detection.

Procedure

Run the system-view command to access the system view.
Run the ipsec flow-overlap check enable command to enable detection of overlapping IPSec flows.
By default, detection of overlapping IPSec flows is disabled.

Follow-up Procedure

If flow overlapping is detected on the network, the device sends an alarm IPSEC/4/IPSECTUNNELSTOP. Based on the alarm information, plan and deliver more refined and appropriate ACL configurations to prevent IPSec service faults caused by flow overlapping.