256Step Command Remarks2. Bind a source interface to anIPsec policy.ipsec { ipv6-policy | policy }policy-name local-addressinterface-type interface-numberBy default, no source interface isbound to an IPsec policy.Enabling QoS pre-classifyIf you apply both an IPsec policy and a QoS policy to an interface, QoS classifies packets by using thenew headers added by IPsec. If you want QoS to classify packets by using the headers of the original IPpackets, enable the QoS pre-classify feature.For more information about QoS policy and classification, see ACL and QoS Configuration Guide.To enable the QoS pre-classify feature:Step Command Remarks1. Enter system view. system-view N/A2. Enter IPsec policy view orIPsec policy template view.• To enter IPsec policy view:ipsec { policy | ipv6-policy }policy-name seq-number[ isakmp | manual ]• To enter IPsec policy templateview:ipsec { policy-template |ipv6-policy-template }template-name seq-numberUse either command.3. Enable QoS pre-classify. qos pre-classify By default, QoS pre-classify isdisabled.Enabling logging of IPsec packetsPerform this task to enable the logging of IPsec packets that are discarded because of reasons such asIPsec SA lookup failure, AH-ESP authentication failure, and ESP encryption failure. The log informationincludes the source and destination IP addresses, the SPI value, and the sequence number of a discardedIPsec packet, and the reason for the failure.To enable the logging of IPsec packets:Step Command Remarks1. Enter system view. system-view N/A2. Enable the logging of IPsecpackets. ipsec invalid-spi-recovery enable By default, the logging of IPsecpackets is disabled.Configuring the DF bit of IPsec packetsPerform this task to configure the Don't Fragment (DF) bit in the new IP header of IPsec packets in one ofthe following ways: