(Optional) Allowing New Users with the Same Traffic Rule as Original Branch Users to Access the Headquarters Network

After the enterprise branch and its headquarters establish an IPSec tunnel, the IP address of the branch gateway interface to which an IPSec policy group is applied changes due to the link status change. For example, the branch gateway connects to the Internet through dial-up and establishes an IPSec tunnel with the headquarters. The headquarters gateway has an existing IPSec tunnel to protect IPSec packets exchanged between the headquarters gateway and branch gateway (original users). Because data flows of new users are the same, the branch gateway and headquarters gateway cannot reestablish an IPSec tunnel. After the local IP address of the IPSec tunnel on the branch gateway changes, the branch gateway (new users) and headquarters gateway cannot rapidly reestablish an IPSec tunnel to protect IPSec traffic exchanged between them.

You can configure the device to allow new users with the same traffic rule as original branch users to access the headquarters network so that the existing IPSec SAs can be rapidly aged and a new IPSec tunnel can be established.

The prerequisites are as follows:

• The headquarters gateway functions as the responder and uses an IPSec policy template to establish an IPSec tunnel with the branch gateway.
• The ACL rules for the new users must be the same as those for original users.
• The interface used by new users to access the headquarters gateway must be the same as that used by original users.