< Home

(Optional) Enabling the Anti-replay Function

Context

To ensure non-stop service forwarding, the configured IPSec anti-replay window size takes effect only for new or re-negotiated IPSec policies but not for existing ones.

Replayed packets are packets that have been processed. IPSec uses the sliding window (anti-replay window) mechanism to check replayed packets. Each AH or ESP packet has a 32-bit sequence number. In an SA, sequence numbers of packets increase. If the sequence number of a received authenticated packet is the same as that of a decapsulated packet or if the sequence number is out of the sliding window, the device considers the packet as a replayed packet.

Decapsulating replayed packets consumes many resources and makes system performance deteriorate, resulting in a Denial Of Service (DoS) attack. After the anti-replay function is enabled, the system discards replayed packets and does not encapsulate them, saving system resources.

In some situations, for example, when network congestion occurs or QoS is performed for packets, the sequence numbers of some service data packets may be different from those in common data packets. The device that has IPSec anti-replay enabled considers the packets as replayed packets and discards them. You can disable global IPSec anti-replay to prevent packets from being discarded incorrectly or adjust the IPSec anti-replay window size to meet service requirements.

The anti-replay function can be configured globally or in an IPSec policy or profile:

  • Configuring the anti-replay function globally

    The global anti-replay function is valid for all existing IPSec policies. When the same anti-replay window parameters need to be set for many IPSec policies, you do not need to run commands one by one. You only need to set global parameters. The configuration efficiency is therefore improved.

  • Configuring the anti-replay function in an Efficient VPN policy

    The anti-replay function can be configured separately for an Efficient VPN policy. In this case, the anti-replay function for the IPSec policy is not affected by the global configuration.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Enable the anti-replay function. Run the following commands as required.

    • Enable the anti-replay function globally.

      1. Run ipsec anti-replay enable

        The anti-replay function is enabled globally.

      2. Run ipsec anti-replay window window-size

        The global IPSec anti-replay window size is configured.

        By default, the global IPSec anti-replay window size is 1024 bits.

    • Enable the anti-replay function in an Efficient VPN policy.

      1. Run ipsec efficient-vpn efficient-vpn-name [ mode { client | network | network-plus } ]

        An Efficient VPN policy is created and the Efficient VPN policy view is displayed.

      2. Run anti-replay window window-size

        The IPSec anti-replay window size is configured in the IPSec policy.

        By default, the anti-replay window size of a single IPSec tunnel is not set. The global value is used.

Parent Topic: Configuring the Remote Device
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >