Table of Contents
Advertisement
ipsec { ipv6-policy | policy }
ipsec { ipv6
ipsec anti-replay check
Use
ipsec anti-replay check
Use
undo ipsec anti-replay check
Syntax
ipsec anti-replay check
undo ipsec anti-replay check
Default
IPsec anti-replay checking is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed
packets is not necessary but consumes large amounts of resources and degrades performance,
resulting in DoS. IPsec anti-replay checking, when enabled, is performed before the
de-encapsulation process, reducing resource waste.
In some situations, service data packets are received in a different order than their original order.
The IPsec anti-replay feature drops them as replayed packets, which impacts communications. If
this happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as
required.
Only IPsec SAs negotiated by IKE support anti-replay checking. Manually created IPsec SAs do not
support anti-replay checking. Enabling or disabling IPsec anti-replay checking does not affect
manually created IPsec SAs.
Examples
# Enable IPsec anti-replay checking.
<Sysname> system-view
[
]
Sysname
Related commands
ipsec anti-replay window
ipsec anti-replay window
Use
ipsec anti-replay window
Use
undo ipsec anti-replay window
Syntax
ipsec anti-replay window width
undo ipsec anti-replay window
-
policy | policy } isakmp template
ipsec anti-replay check
to enable IPsec anti-replay checking.
to disable IPsec anti-replay checking.
to set the anti-replay window size.
to restore the default.
32
Advertisement
Chapters
Table of Contents
