280
Ste
Command
Remarks
1. Enter system view. system-view N/A
2. Enable IPsec anti-replay
checking.
ipsec anti-replay check
Optional.
Enabled by default.
3. Set the size of the IPsec
anti-replay window.
ipsec anti-replay window width
Optional.
32 by default.
CAUTION:
• IPsec anti-replay checking is enabled by default. Do not disable it unless it needs to be disabled.
• A wider anti-replay window results in higher resource cost and more system performance de
radation,
which is against the original intention of the IPsec anti-replay function. Specify an anti-replay window
size that is as small as possible.
NOTE:
IPsec anti-replay checking does not affect manually created IPsec SAs. According to the IPsec protocol,
only IPsec SAs negotiated by IKE support anti-replay checking.
Configuring packet information pre-extraction
This feature is supported only in FIPS mode.
If you apply both an IPsec policy and QoS policy to an interface, by default, the interface first uses IPsec
and then QoS to process IP packets, and QoS classifies packets by the headers of IPsec-encapsulated
packets. If you want QoS to classify packets by the headers of the original IP packets, enable the packet
information pre-extraction feature.
For more information about QoS policy and classification, see ACL and QoS Configuration Guide.
To configure packet information pre-extraction:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter IPsec policy view.
ipsec policy policy-name
seq-number [ isakmp | manual ]
Configure either command.
3. Enable packet information
pre-extraction.
qos pre-classify Disabled by default.
Configuring IPsec for IPv6 routing protocols
Complete the following tasks to configure IPsec for IPv6 routing protocols:
Task Remarks
Configuring an IPsec proposal Required
Configuring a manual IPsec policy
Required
ACLs and IPsec tunnel addresses are not needed.
To Next Page
Loading...
Need help?
General
