F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100
178
Ste
p
Command
Remarks
2. Enable the encryption engine.
cryptoengine enable
Optional.
By default, the encryption engine is
enabled.
445BEnabling ACL checking for de-encapsulated IPsec packets
In tunnel mode, the IP packet encapsulated in an inbound IPsec packet might be out of protection of the
ACL specified in the IPsec policy. Such packets bring threats to the network security. You can enable ACL
checking for de-encapsulated IPsec packets, so all packets failing the checking are discarded.
To enable ACL checking for de-encapsulated IPsec packets:
Ste
p
Command
Remarks
1. Enter system view.
system-view
N/A
2. Enable ACL checking for
de-encapsulated IPsec
packets.
ipsec decrypt check
Optional.
Enabled by default.
446BConfiguring the IPsec anti-replay function
The IPsec anti-replay function protects networks against anti-replay attacks by using a sliding window
mechanism called anti-replay window. This function checks the sequence number of each received IPsec
packet against the current IPsec packet sequence number range of the sliding window. If the sequence
number is not in the current sequence number range, the packet is considered a replayed packet and is
discarded.
IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is
not only unnecessary, but also consumes large amounts of resources and degrades performance,
resulting in DoS. IPsec anti-replay checking, when enabled, is performed before the de-encapsulation
process, reducing resource waste.
In some cases, however, the sequence numbers of some normal service data packets may be out of the
current sequence number range, and the IPsec anti-replay function may drop them as well, affecting the
normal communications. If this happens, disable IPsec anti-replay checking or adjust the size of the
anti-replay window as required.
IPsec anti-replay checking does not affect manually created IPsec SAs. According to the IPsec protocol,
only IPsec SAs negotiated by IKE support anti-replay checking.
IMPORTANT:
• IPsec anti-replay checking is enabled by default. Do not disable it unless it needs to be disabled.
• A wider anti-replay window results in higher resource cost and more system performance de
g
radation,
which is against the original intention of the IPsec anti-replay function. Specify an anti-replay window
size that is as small as possible.
To configure IPsec anti-replay checking:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A