Disable IPsec Fragmentation Before Encryption

Note

Note

This procedure only applies to XA1400 Series.

If you downgrade to an earlier release that does not support this feature, you must disable the feature and save the configuration. You must have a compatible configuration file if you downgrade to an earlier release.

Before you begin

Procedure

  1. Enter Logical IS-IS Interface Configuration mode:

    enable

    configure terminal

    logical-intf isis <1–255>

  2. Disable IPsec on the logical interface:
    no ipsec
  3. Disable IPsec fragmentation before encryption on the logical interface:
    no ipsec fragment-before-encrypt
  4. Enable IPsec on the logical interface:
    ipsec
  5. Verify the configuration:
    show isis logical-interface ipsec

Example

Disable IPsec and IPsec fragementation before encryption and verify the configuration:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch:1(config)#logical-intf isis 2
Switch:1(config-isis-2-192.168.20.1)#no ipsec
Switch:1(config-isis-2-192.168.20.1)#no ipsec fragment-before-encrypt
Switch:1(config-isis-2-192.168.20.1)#ipsec
Switch:1(config-isis-2-192.168.20.1)#show isis logical-interface ipsec
========================================================================================================================================
                          ISIS Logical Interface IPSec
========================================================================================================================================
ID   Status   Auth-Method   Auth-Key   ESP                  Responder-Only   Remote NAT IP  Auth-Key-Len Compression Frag-before-encrypt
-----------------------------------------------------------------------------------------------------------------------------------------
1    Enable   RSA-SIG       ******     aes128gcm16-sha256   False            -              128          False       False

-----------------------------------------------------------------------------------------------------------------------------------------
 1 out of 1 Total Num of Logical ISIS interfaces
-----------------------------------------------------------------------------------------------------------------------------------------

======================================================================================================================
                           IPSec Tunnel General Info
======================================================================================================================
       IPSec tunnel global source-ip-address : 203.0.113.1

======================================================================================================================
                               ISIS IPSec Tunnels
======================================================================================================================

ID    IPSec source    IP            IPSec Dst Ip        TUNNEL_NEXT_HOP
      type            address                           PORT/MLT   VLAN        VRF
----------------------------------------------------------------------------------------------------------------------
1     global          203.0.113.1   100.100.100.6      Port1/6    100       GlobalRouter
----------------------------------------------------------------------------------------------------------------------
 1 out of 1 Total Num of Logical ISIS interfaces