ipsec flow-overlap check enable

Application Scenarios

In an LTE IPSec scenario, new base stations are usually added during network upgrade and capacity expansion, and the firewall needs to interconnect with these new base stations. In this case, you can enable detection of overlapping IPSec flows so that the device can detect whether to-be-encrypted data flows generated by the new tunnel overlap with existing ones after IKE negotiation. If no, the new tunnel is successfully established. If yes, the new tunnel fails to be established, and the device sends an alarm (IPSEC/4/IPSECTUNNELSTOP) on to-be-encrypted data flow overlapping. This requires you analyze the device networking, and plan and deliver more reasonable ACL configurations.

Precautions

• This function affects the device performance. You are advised to disable this function when the network operation is stable (without such operations as upgrade or capacity expansion).
• Disable this function immediately after you complete such operations as upgrade or capacity expansion.