R21xx-HP FlexFabric 11900 Security Command Reference
205
Examples
# Configure IPsec policy (policy1) to reference IKE profile (profile1).
<Sysname> system-view
[Sysname] ipsec policy policy1 10 isakmp
[Sysname-ipsec-policy-isakmp-policy1-10] ike-profile profile1
Related commands
ike profile
ipsec anti-replay check
Use ipsec anti-replay check to enable IPsec anti-replay checking.
Use undo ipsec anti-replay check to disable IPsec anti-replay checking.
Syntax
ipsec anti-replay check
undo ipsec anti-replay check
Default
IPsec anti-replay checking is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is
not necessary but consumes large amounts of resources and degrades performance, resulting in DoS.
IPsec anti-replay checking, when enabled, is performed before the de-encapsulation process, reducing
resource waste.
In some cases, some service data packets might be received in a very different order than its original
order, and the IPsec anti-replay function might drop them as replayed packets, affecting the normal
communications. If this happens, disable IPsec anti-replay checking or adjust the size of the anti-replay
window as required.
IPsec anti-replay checking does not affect manually created IPsec SAs. According to the IPsec protocol,
only IPsec SAs negotiated by IKE support anti-replay checking.
Examples
# Enable IPsec anti-replay checking.
<Sysname> system-view
[Sysname] ipsec anti-replay check
Related commands
ipsec anti-replay window
ipsec anti-replay window
Use ipsec anti-replay window to set the anti-replay window size.