R3303-HP 6600/HSR6600 Routers Security Configuration Guide
269
If the encryption engine is disabled or has failed but the IPsec module backup function is enabled, the
IPsec module takes over the responsibility of IPsec processing. If the IPsec module backup function is
disabled, the matching packets are discarded.
To enable the encryption engine:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable the encryption
engine.
cryptoengine enable [ slot slot-number ]
Optional.
By default, the encryption
engine is enabled.
Enabling ACL checking of de-encapsulated IPsec packets
In tunnel mode, the IP packet that was encapsulated in an inbound IPsec packet might not be an object
that is specified by an ACL to be protected. For example, a forged packet is not an object to be protected.
If you enable ACL checking of de-encapsulated IPsec packets, all packets failing the checking will be
discarded, improving the network security.
To enable ACL checking of de-encapsulated IPsec packets:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable ACL checking of
de-encapsulated IPsec
packets.
ipsec decrypt check
Optional.
Enabled by default.
Configuring the IPsec anti-replay function
The IPsec anti-replay function protects networks against anti-replay attacks by using a sliding window
mechanism called anti-replay window. This function checks the sequence number of each received IPsec
packet against the current IPsec packet sequence number range of the sliding window. If the sequence
number is not in the current sequence number range, the packet is considered a replayed packet and is
discarded.
IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets
not only makes no sense, but also consumes large amounts of resources and degrades performance,
resulting in DoS. IPsec anti-replay checking, when enabled, is performed before the de-encapsulation
process, reducing resource waste.
In some cases, however, the sequence numbers of some normal service data packets might be out of the
current sequence number range, and the IPsec anti-replay function might drop them as well, affecting the
normal communications. If this happens, disable IPsec anti-replay checking or adjust the size of the
anti-replay window as required.
IPsec anti-replay checking does not affect manually created IPsec SAs. According to the IPsec protocol,
only IPsec SAs negotiated by IKE support anti-replay checking.