HP VPN Firewall Appliances VPN Configuration Guide
174
IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is
not only unnecessary, but also consumes large amounts of resources and degrades performance,
resulting in DoS. IPsec anti-replay checking, when enabled, is performed before the de-encapsulation
process, reducing resource waste.
In some cases, however, the sequence numbers of some normal service data packets might be out of the
current sequence number range, and the IPsec anti-replay function might drop them as well, affecting the
normal communications. If this happens, disable IPsec anti-replay checking or adjust the size of the
anti-replay window as required.
IPsec anti-replay checking does not affect manually created IPsec SAs. According to the IPsec protocol,
only IPsec SAs negotiated by IKE support anti-replay checking.
IMPORTANT:
• IPsec anti-replay checking is enabled by default. Do not disable it unless it needs to be disabled.
• A wider anti-replay window results in higher resource cost and more system performance de
g
radation,
which is against the original intention of the IPsec anti-replay function. Specify an anti-replay window
size that is as small as possible.
To configure IPsec anti-replay checking:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable IPsec anti-replay
checking.
ipsec anti-replay check
Optional.
Enabled by default.
3. Set the size of the IPsec
anti-replay window.
ipsec anti-replay window width
Optional.
32 by default.
Configuring packet information pre-extraction
If you apply both an IPsec policy and QoS policy to an interface, by default, the interface first uses IPsec
and then QoS to process IP packets, and QoS classifies packets by the headers of IPsec-encapsulated
packets. If you want QoS to classify packets by the headers of the original IP packets, enable the packet
information pre-extraction feature.
For more information about QoS policy and classification, see Network Management Configuration
Guide.
To configure packet information pre-extraction:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter IPsec policy view or
IPsec policy template view.
• To enter IPsec policy view:
ipsec policy policy-name
seq-number [ isakmp |
manual ]
• To enter IPsec policy template
view:
ipsec policy-template
template-name seq-number
Use either command.