VPN Sticky SA (for LTE)
To support LTE environments, you must enable the VPN sticky Security Association (SA) feature. This feature makes sure that an LTE device has only one outgoing SA to the 61000/41000 Security System, which is a requirement for an LTE device.
Limitations
- Connections are synchronized to all SGMs (instead synchronizing only to the backup SGM).
- Third-party VPN peers are not enabled by default.
|
Important - You must not enable SPI distribution and Sticky SA at the same time.
|
Configuration
SGMs are typically configured automatically during LTE configuration. You must enable LTE support to use LTE features.
To configure this feature without configuring LTE:
- Run from the Expert mode:
# g_update_conf_file $FWDIR/modules/fwkern.conf fwha_vpn_sticky_tunnel_enabled=1
- Reboot all SGMs:
# reboot –b all
Verification:
If SecureXL is enabled, make sure that the parameter is set to in the # /proc/ppk/conf file. To do so, run this command from the node:
# g_cat /proc/ppk/conf | grep VPN
|