Configuring Packet Information Pre-Extraction; Configuring Ipsec For Ipv6 Routing Protocols - H3C S5500-EI Series Security Configuration Manual

Step
1. Enter system view.
2. Enable IPsec anti-replay
checking.
3. Set the size of the IPsec
anti-replay window.
CAUTION:
IPsec anti-replay checking is enabled by default. Do not disable it unless it needs to be disabled.
•
A wider anti-replay window results in higher resource cost and more system performance degradation,
•
which is against the original intention of the IPsec anti-replay function. Specify an anti-replay window
size that is as small as possible.
NOTE:
IPsec anti-replay checking does not affect manually created IPsec SAs. According to the IPsec protocol,
only IPsec SAs negotiated by IKE support anti-replay checking.

Configuring packet information pre-extraction

This feature is supported only in FIPS mode.
If you apply both an IPsec policy and QoS policy to an interface, by default, the interface first uses IPsec
and then QoS to process IP packets, and QoS classifies packets by the headers of IPsec-encapsulated
packets. If you want QoS to classify packets by the headers of the original IP packets, enable the packet
information pre-extraction feature.
For more information about QoS policy and classification, see ACL and QoS Configuration Guide.
To configure packet information pre-extraction:
Step
1. Enter system view.
2. Enter IPsec policy view.
3. Enable packet information
pre-extraction.

Configuring IPsec for IPv6 routing protocols

Complete the following tasks to configure IPsec for IPv6 routing protocols:
Task
Configuring an IPsec proposal
Configuring a manual IPsec policy
Command
system-view
ipsec anti-replay check
ipsec anti-replay window width
Command
system-view
ipsec policy policy-name
seq-number [ isakmp | manual ]
qos pre-classify
Remarks
Required
Required
ACLs and IPsec tunnel addresses are not needed.
293
Remarks
N/A
Optional.
Enabled by default.
Optional.
32 by default.
Remarks
N/A
Configure either command.
Disabled by default.