After the branch and the headquarters of the company successfully establish an IPSec tunnel, the IP address of the interface of the branch gateway applying the security policy group may change due to the change of the link status (for example, the branch gateway connects to the Internet through dial-up to establish an IPSec tunnel with the headquarters. Down). But before that, there was an IPSec tunnel in the headquarters gateway to protect the traffic between the headquarters gateway and the branch gateway (existing users). At this time, the conflict caused by the same data flow protected by the new and old IPSec tunnels would cause the branch A new IPSec tunnel cannot be established with the headquarters, so that the branch gateway (new user) and the headquarters gateway cannot quickly re-establish the IPSec tunnel, and the traffic between the two cannot be protected by security. At this time, new users who protect the same data flow can be configured to quickly access the headquarters function, so that the IPSec SA established before the branch gateway and the headquarters gateway can quickly age, so as to re-establish the IPSec tunnel.

The realization of this function must have the following prerequisites.

The headquarters gateway serves as the IPSec negotiation responder, and uses a policy template to establish an IPSec tunnel with the branch gateway.

The ACL rules configured by the new user must be exactly the same as the ACL rules configured by the original user.

The interface used by the new user to access the headquarters gateway and the interface used by the original user must be the same interface on the headquarters gateway.

It is also very simple to configure the function for new users who protect the same data flow to quickly access the headquarters. You only need to execute the ipsec remote traffic-identical accept command in the system view to enable the function for new users who protect the same data flow to access the headquarters. By default, the function for new users who protect the same data flow to access the headquarters is not enabled. You can use the undo ipsec remote traffic-identical accept command to enable the function for new users who protect the same data flow to quickly access the headquarters.

The Links:   MSG100U43 G150XTN020