An IPsec policy or IPsec policy template can reference only one IKE profile and they cannot reference any
IKE profile that is already referenced by another IPsec policy or IPsec policy template.
Examples
# Configure IPsec policy (policy1) to reference IKE profile (profile1).
<Sysname> system-view
[Sysname] ipsec policy policy1 10 isakmp
[Sysname-ipsec-policy-isakmp-policy1-10] ike-profile profile1
Related commands
ike profile
ipsec anti-replay check
Use ipsec anti-replay check to enable IPsec anti-replay checking.
Use undo ipsec anti-replay check to disable IPsec anti-replay checking.
Syntax
ipsec anti-replay check
undo ipsec anti-replay check
Default
IPsec anti-replay checking is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is
not necessary but consumes large amounts of resources and degrades performance, resulting in DoS.
IPsec anti-replay checking, when enabled, is performed before the de-encapsulation process, reducing
resource waste.
In some cases, some service data packets might be received in a very different order than its original
order, and the IPsec anti-replay function might drop them as replayed packets, affecting the normal
communications. If this happens, disable IPsec anti-replay checking or adjust the size of the anti-replay
window as required.
IPsec anti-replay checking does not affect manually created IPsec SAs. According to the IPsec protocol,
only IPsec SAs negotiated by IKE support anti-replay checking.
Examples
# Enable IPsec anti-replay checking.
<Sysname> system-view
[Sysname] ipsec anti-replay check
336
To Next Page
Loading...
Need help?
General
