Enable IPsec Fragmentation Before Encryption

Note

Note

This procedure only applies to XA1400 Series.

Configure IPsec fragmentation before encryption to avoid possible throughput penalty for sending fragmented packets over the Internet.

Before you begin

  • Configure the IPsec tunnel source address globally.

  • Disable IPsec on the logical interface.

  • IPsec over Fabric Extend must be in IPsec decoupled mode. For more information, see Fabric IPsec Gateway Fundamentals.

  • Configure one of the following:

    • the IPsec tunnel destination IP

    • IPsec NAT-T responder only mode

    • IPsec responder remote NAT IP address

Procedure

  1. Enter Logical IS-IS Interface Configuration mode:

    enable

    configure terminal

    logical-intf isis <1–255>

  2. Enable IPsec fragmentation before encryption on the logical interface:
    ipsec fragment-before-encrypt
  3. Enable IPsec on the logical interface:
    ipsec
  4. Verify the configuration:
    show isis logical-interface ipsec

Example

Enable IPsec fragment before encryption and verify the configuration:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch:1(config)#logical-intf isis 2
Switch:1(config-isis-2-192.0.2.24)#ipsec fragment-before-encrypt
Switch:1(config-isis-2-192.0.2.24)#ipsec
Switch:1>show isis logical-interface ipsec
=======================================================================================================================================
                          ISIS Logical Interface IPSec
=======================================================================================================================================
ID   Status   Auth-Method   Auth-Key  ESP                  Responder-Only   Remote NAT IP  Auth-Key-Len Compression Frag-before-encrypt
---------------------------------------------------------------------------------------------------------------------------------------
1    Enable   RSA-SIG       ******    aes128gcm16-sha256   False            -              128          False       True

---------------------------------------------------------------------------------------------------------------------------------------
 1 out of 1 Total Num of Logical ISIS interfaces
---------------------------------------------------------------------------------------------------------------------------------------

======================================================================================================================
                           IPSec Tunnel General Info
======================================================================================================================
       IPSec tunnel global source-ip-address : 203.0.113.1

======================================================================================================================
                               ISIS IPSec Tunnels
======================================================================================================================

ID    IPSec source    IP            IPSec Dst Ip        TUNNEL_NEXT_HOP
      type            address                           PORT/MLT   VLAN        VRF
----------------------------------------------------------------------------------------------------------------------
1     global          203.0.113.1   100.100.100.6      Port1/6    100       GlobalRouter
----------------------------------------------------------------------------------------------------------------------
 1 out of 1 Total Num of Logical ISIS interfaces
----------------------------------------------------------------------------------------------------------------------