(Optional) Configuring IPSec Intelligent Link Selection Profiles
Context
When configuring IPSec intelligent link selection profiles, comply with the following principles:
- The FW supports a maximum of three IPSec intelligent link selection profiles.
- An IPSec intelligent selection profile can be referenced by an IPSec policy only in IKE mode, but not in template or manual mode.
- An IPSec intelligent link section profile can be referenced by only one IPSec policy, and an IPSec policy can reference only one IPSec intelligent link selection profile.
- IPSec intelligent link selection supports only IPv4.
- When the local IPSec policy uses the intelligent link selection function, the peer end must use the template mode to set up a tunnel with the local end.
Procedure
- Run the system-view command to access the system view.
- Run the ipsec smart-link profile profile-name command to create an IPSec intelligent link selection profile and display the IPSec intelligent link selection profile view.
- Run the smart-link enable command to enable the IPSec intelligent link selection profile.
By default, an IPSec intelligent link selection profile is enabled.
- Configure IPSec intelligent link selection and link switchover mode.
The IPSec intelligent link selection function can be used in two scenarios based on the link switchover mechanism. One is to switch the link based on the link quality probe result, and the other is to switch the link based on the route status change.
- Link switchover based on the link quality probe result
- Run the link-switch-mode detection-based command to configure link switchover based on the link quality probe result.
Run the link link-id interface interface-type interface-number [ local local-address ] [ nexthop nexthop-address ] remote remote-address command to add links for IPSec intelligent link selection.
Each IPSec intelligent link selection profile allows a maximum of 3 local addresses and a maximum of 10 peer addresses. Therefore, you can configure a maximum of 30 links (3 x 10 = 30). A link configured earlier is given a higher priority than that of a link configured later. You can use the move link command to adjust the proprieties of links and use the active link command to manually select an IPSec link.
After the IPSec link is selected, the FW will apply the IPSec policy that references the IPSec intelligent link selection profile to the local interface specified in the link command. In addition, the FW replaces the local address and remote address with those specified in the local-address and remote-address parameters of the link command respectively.
To correctly forward IKE negotiation packets and IPSec packets, the FW will deliver a host route with the destination address of remote-address and next-hop address of nexthop-address. nexthop nexthop-address and remote remote-address are specified in the link command.
When the local interface obtains IP addresses through DHCP or PPPoE, local-address and nexthop-address are obtained from the DHCP or PPPoE server. You do not need to set values for them. If you manually set values for local-address and nexthop-address, the FW will use the values that you set.
To correctly forward private network packets and link quality probe packets, you need to configure the reverse route injection function on the gateway that uses the IPSec intelligent link selection function.
- Run the link-quality-detection source source-address destination destination-address command to specify the source and destination addresses for link quality detection packets.
Quality of IPSec links is detected by sending ICMP packets. source-address can be any address as long as the remote device and source-address are reachable to each other. The destination-address of probe packets may be the address of a device on the peer private network. When there is only one peer address, the destination-address of probe packets may be an interface IP address of the peer gateway.
After you specify the source and destination addresses for link quality detection packets using the link-quality-detection source source-address destination destination-address command, the FW will automatically add the following profile to the ACL referenced by the IPSec policy so that the link quality detection packets match the ACL.
rule permit icmp source source-address 0 destination destination-address 0
If link quality detection packets match an existing ACL rule on the FW, the FW will not add the preceding ACL rule.
The following ACL rule needs to be manually added to the remote device so that the remote device can receive and respond to the link quality detection packets sent from the FW:
rule permit icmp source destination-address 0 destination source-address 0
If the link quality detection packet and its response packet can match an existing ACL rule on the remote device, the preceding ACL rule does not need to be added.
If no source or destination address is configured for link quality detection packets, the FW will use local-address and remote-address specified in the link command as the source and destination addresses of the packets respectively.
- Run the link-quality-detection interval interval-number number packet-number command to specify the interval for sending link quality detection packets and the number of link quality detection packets sent within a detection cycle.
After sending a specific number of link quality detection packets (determined by the packet-number value), the FW will calculate the delay and packet loss rate.
- Run the link-quality-threshold { loss loss-rate | delay delay } command to set link quality thresholds.
loss-rate: specifies the packet loss rate threshold. The packet loss rate is calculated based on this formula: Packet loss rate = Number of discarded packets within a link quality detection cycle/Total number of link quality detection packets within a link quality detection cycle.
delay: specifies the delay threshold. The delay is calculated based on the formula: Delay = Time when a response packet is received - Time when a detection packet is sent. The FW calculates the delay of each detection packet within a detection cycle and takes an average.
If the packet loss rate or delay over a tunnel exceeds the threshold, a link switchover is triggered.
- Run the auto-switch cycles number command to set the upper threshold for the number of link switchover cycles. If the link quality is unqualified, the FW will implement cyclic link switchovers based on link priorities. It is assumed that four links exists and 1->2->3->4 is a complete link switchover. If the number of cyclic link switchovers reaches the upper threshold and the loop switching duration from the highest priority link to the lowest priority link is within 10 minutes, the FW stops link detection and cyclic switchovers for 10 minutes switches traffic to the link with the lowest packet loss ratio. Then, the FW starts link detection and cyclic link switchovers again.
- If the packet loss ratio is 100% for all links, the link switchover stops at the last link.
- If the number is set to 0, the FW will never stop the link detection and cyclic link switchovers.
- (Optional) Run the auto-switch preempt enable command to enable automatic switchback to a high-priority link.
By default, this function is disabled. After this function is enabled, the FW continuously detects the quality of the high-priority link after the IPSec tunnel is switched to the backup link. If the quality of the high-priority link continuously meets the requirements within the configured switchback delay, the FW automatically switches the IPSec tunnel back to the high-priority link.
After automatic switchback to a high-priority link is enabled, the link quality detection packets in the IPSec intelligent link selection rule on the local device and the ACL rule in the IPSec policy on the peer device are different in the following configurations compared with those before the automatic switchback function is enabled:
- The source and destination IP addresses of link quality detection packets must be configured in the IPSec intelligent link selection rule on the local device. These IP addresses can not be the IP addresses of the interfaces at the two ends of the IPSec tunnel, they can be the IP addresses contained in the ACL rule.
- An ACL rule that uses the destination IP address of detection packets as the source IP address, the source IP address of the detection packets as the destination IP address, and ICMP as the protocol type must be configured in the IPSec policy of the peer device.
For example, if the source IP address of the detection packets on the local device is 1.1.1.1 and the destination IP address is 2.2.2.2, you need to configure the following link quality detection packets on the local device:
link-quality-detection source 1.1.1.1 destination 2.2.2.2
Configure the following ACL rule on the peer device:
rule permit icmp source 2.2.2.2 0 destination 1.1.1.1 0
In addition, the link detection addresses are configured on the local device and the FW does not use the IP addresses of the interfaces at the two ends of the link as the source address and destination address of the detection packets. Therefore, you do not need to configure the ACL rule that uses the IP addresses of the interfaces at the two ends of the IPSec tunnel as the source and destination IP addresses on the peer device.
- (Optional) Run the auto-switch preempt enable delay delay-time command to set the delay of automatic switchback to a high-priority link.
The default switchback delay is 180 seconds. Automatic switchback is triggered only when the quality (packet loss rate and delay) of the link with a higher priority continuously meets the requirements within the switchback delay.
- Link switchover based on the route status change
Run the link-switch-mode route-based command to configure link switchover based on the route status change.
- Run the link link-id interface interface-type interface-number [ local local-address ] [ nexthop nexthop-address ] remote remote-address command to add IPSec intelligent link selection links.
Each IPSec intelligent link selection profile allows a maximum of 3 local addresses and a maximum of 10 peer addresses. Therefore, you can configure a maximum of 30 links (3 x 10 = 30). A link configured earlier is given a higher priority than that of a link configured later. You can use the move link command to adjust the proprieties of links and use the active link command to manually select an IPSec link.
To correctly forward IKE negotiation packets and IPSec packets, ensure that the IPSec gateways are reachable to each other.
After the IPSec link is selected, the FW will apply the IPSec policy that references the IPSec intelligent link selection profile to the interface specified in the link command. In addition, the FW replaces the local address and remote address with those specified in the local-address and remote-address parameters of the link command respectively.
When the local interface obtains IP addresses through DHCP or PPPoE, local-address is obtained from the DHCP or PPPoE server. You do not need to set values for them. If you manually set values for local-address, the FW will use the values that you set.
To correctly forward private network packets from the local end to the peer end, you need to configure the reverse route injection function on the gateway that uses the IPSec intelligent link selection function.
- Link switchover based on the link quality probe result
Follow-Up Procedure
None.
Run the display ipsec smart-link profile command to check configured IPSec intelligent link selection rules.
<sysname> display ipsec smart-link profile name profile1 =========================================== Name :profile1 Detection number :10 Detection interval :1 Detection source IP :1.1.1.1 Detection destination IP :3.3.3.3 Cycles :4 Switched times :4 Switch mode :detection-based State :enable IPSec policy alias :policy1 link list: ID local-address remote-address loss(%) delay(ms) state 1 1.1.1.1 3.3.3.3 2 10 active 2 2.2.2.2 4.4.4.4 0 0 inactive ===========================================