F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Command Reference-6PW100
108
[Sysname-ipsec-policy-isakmp-policy2-1] security acl 3002 aggregation
# Configure IPsec policy policy3 to reference ACL 3003, and set the data flow protection mode to
per-host.
<Sysname> system-view
[Sysname] acl number 3003
[Sysname-acl-adv-3003] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255
[Sysname-acl-adv-3003] quit
[Sysname] ipsec policy policy3 10 isakmp
[Sysname-ipsec-policy-isakmp-policy3-10] security acl 3003 per-host
Related commands
ipsec policy (system view)
synchronization anti-replay-interval (IPsec policy view/IPsec
policy template view/IPsec profile view)
Use synchronization anti-replay-interval to set the inbound anti-replay window synchronization interval
and the outbound anti-replay sequence number synchronization interval.
Use undo synchronization anti-replay-interval to restore the defaults.
Syntax
synchronization anti-replay-interval inbound inbound-number outbound outbound-number
undo synchronization anti-replay-interval
Default
The inbound anti-replay window synchronization interval is 1000, and the outbound anti-replay
sequence number synchronization interval is 100000.
Views
IPsec policy view, IPsec policy template view, IPsec profile view
Default command level
2: System level
Parameters
inbound-number: Interval at which the device, when functioning as the active device, synchronizes the
inbound anti-replay window to the standby device. It is expressed in the number of received packets and
ranges from 0 to 1000. If you set the argument to 0, inbound anti-replay window synchronization is
disabled.
outbound-number: Interval at which the device, when functioning as the active device, synchronizes the
outbound anti-replay sequence number to the standby device. It is expressed in the number of sent
packets and ranges from 1000 to 100000.
Usage guidelines
In an IPsec stateful failover scenario, the active device regularly synchronizes anti-replay information to
the standby device. When the active device fails, the standby device continues to provide the anti-replay
service based on the synchronized anti-replay information.