sa anti-replay

Function

The sa anti-replay window command configures the anti-replay window size.

The undo sa anti-replay window command cancels the anti-replay window size configuration.

The sa anti-replay eanble and undo sa anti-replay disable commands start the anti-replay function in an IPsec policy.

The undo sa anti-replay eanble and sa anti-replay disable commands cancel the anti-replay function in an IPsec policy.

By default, the anti-replay function is globally enabled and takes effect for each IPsec policy.

This command is supported only on the NetEngine 8000 F1A.

Format

sa anti-replay enable

sa anti-replay disable

sa anti-replay window { window-size }

undo sa anti-replay enable

undo sa anti-replay disable

undo sa anti-replay window

Parameters

Parameter	Description	Value
disable	Disables the anti-replay function in an IPsec policy.	-
window-size	Indicates the anti-replay window size.	It is an integer and can take any one the following values: 32, 64, 128, 256, 512 or 1024. The default value is 1024.
enable	Enables the anti-replay function in an IPsec policy.	-

Parameter

Description

Value

disable

Disables the anti-replay function in an IPsec policy.

window-size

Indicates the anti-replay window size.

It is an integer and can take any one the following values: 32, 64, 128, 256, 512 or 1024. The default value is 1024.

enable

Enables the anti-replay function in an IPsec policy.

Views

IPsec profile view, IPsec policy template view, ISAKMP IPsec policy view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
ike	write

Usage Guidelines

Usage Scenario

If the live network is attacked by replay packets, you can enable the anti-replay function to protect the device against replay attacks. If the live network is so complex that packets reach the device in disorder, you can disable the anti-replay function to prevent packet loss. The anti-replay function is globally enabled by default. If packet loss occurs on a large number of IPSec tunnels, globally disable the anti-replay function. If packet loss occurs on a few IPSec tunnels, enable the anti-replay function in a specific IPSec policy.

Therefore, the anti-replay function in an IPSec policy is more granular than that enabled globally.

Configuration Impact

If the anti-replay function is enabled globally and in an IPSec policy, the anti-replay function in the IPSec policy takes effect preferentially.

When the anti-replay function is enabled globally and disabled in an IPSec policy, the anti-replay function does not take effect in the IPsec policy but takes effect in the other IPSec policies.
When the anti-replay function is disabled globally and enabled in an IPsec policy, the anti-replay function takes effect in the IPsec policy but does not in the other IPsec policies.
If the anti-replay function is disabled in an IPSec policy, the anti-replay configuration configured globally also takes effect for this IPSec policy.
If the sa anti-replay command is run several times, the latest configuration overrides the previous one.

Example

# Disable the anti-replay function in the IPSec policy named policy1.

<HUAWEI> system-view
[~HUAWEI] ipsec policy policy1 1 isakmp
[*HUAWEI-ipsec-policy-isakmp-policy1-1] sa anti-replay disable