Ipsec Anti-Replay Check - HP FlexFabric 7900 Series Command Reference Manual

Usage guidelines
The IKE profile referenced by an IPsec policy defines the parameters used for IKE negotiation.
An IPsec policy can reference only one IKE profile and they cannot reference any IKE profile that is
already referenced by another IPsec policy.
Examples
# Specify IPsec policy policy1 to reference IKE profile profile1.
<Sysname> system-view
[Sysname] ipsec policy policy1 10 isakmp
[Sysname-ipsec-policy-isakmp-policy1-10] ike-profile profile1
Related commands
ike profile

ipsec anti-replay check

Use ipsec anti-replay check to enable IPsec anti-replay checking.
Use undo ipsec anti-replay check to disable IPsec anti-replay checking.
Syntax
ipsec anti-replay check
undo ipsec anti-replay check
Default
IPsec anti-replay checking is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is
not necessary but consumes large amounts of resources and degrades performance, resulting in DoS.
IPsec anti-replay checking, when enabled, is performed before the de-encapsulation process, reducing
resource waste.
In some situations, service data packets are received in a different order than their original order. The
IPsec anti-replay function drops them as replayed packets, which impacts communications. If this
happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required.
IPsec anti-replay checking does not affect manually created IPsec SAs. According to the IPsec protocol,
only IPsec SAs negotiated by IKE support anti-replay checking.
Examples
# Enable IPsec anti-replay checking.
<Sysname> system-view
[Sysname] ipsec anti-replay check
124