R3303-HP 6600/HSR6600 Routers Security Configuration Guide
270
IMPORTANT:
• IPsec anti-replay checking is enabled by default. Do not disable it unless it needs to be disabled.
• A wider anti-replay window results in higher resource cost and more system performance de
g
radation,
which is against the original intention of the IPsec anti-replay function. Specify an anti-replay window
size that is as small as possible.
To configure IPsec anti-replay checking:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable IPsec anti-replay
checking.
ipsec anti-replay check
Optional.
Enabled by default.
3. Set the size of the IPsec
anti-replay window.
ipsec anti-replay window width
Optional.
32 by default.
Configuring packet information pre-extraction
If you apply both an IPsec policy and QoS policy to an interface, by default, the interface first uses IPsec
and then QoS to process IP packets, and QoS classifies packets by the headers of IPsec-encapsulated
packets. If you want QoS to classify packets by the headers of the original IP packets, enable the packet
information pre-extraction feature.
For more information about QoS policy and classification, see ACL and QoS Configuration Guide.
To configure packet information pre-extraction:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter IPsec policy view or
IPsec policy template view.
• To enter IPsec policy view:
ipsec policy policy-name
seq-number [ isakmp |
manual ]
• To enter IPsec policy template
view:
ipsec policy-template
template-name seq-number
Use either command.
3. Enable packet information
pre-extraction.
qos pre-classify Disabled by default.
Enabling invalid SPI recovery
When the security gateway at one end of an IPsec tunnel loses its SAs due to rebooting or any other
reason, its peer security gateway might not know the problem and send IPsec packets to it. These packets
will be discarded by the receiver because the receiver cannot find appropriate SAs for them, resulting in
a traffic blackhole. This situation changes only after the concerned SAs on the sender get aged out and
new SAs are established between the two peers. To prevent such service interruption, configure the
invalid SPI recovery feature.