EasyManuals Logo
Home>HPE>Network Router>FlexNetwork MSR Series

HPE FlexNetwork MSR Series Comware 5 Security Configuration Guide

HPE FlexNetwork MSR Series
547 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #181 background imageLoading...
Page #181 background image
168
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enable the IPsec module
backup function.
ipsec cpu-backup enable
Enabled by default.
Configuring the IPsec session idle timeout
An IPsec session is created when the first packet matching an IPsec policy arrives. Also created is
an IPsec session entry, which records the quintuplet (source IP address, destination IP address,
protocol number, source port, and destination port) and the matched IPsec tunnel.
An IPsec session is automatically deleted after the idle timeout expires.
Subsequent data flows search the session entries according to the quintuplet to find a matched item.
If found, the data flows are processed according to the tunnel information. Otherwise, they are
processed according to the original IPsec process: search the policy group or policy at the interface,
and then the matched tunnel.
The session processing mechanism of IPsec saves intermediate matching procedures, improving
the IPsec forwarding efficiency.
To set the IPsec session idle timeout:
Step Command Remark
1. Enter system view.
system-view
N/A
2. Set the IPsec session idle
timeout.
ipsec session idle-time
seconds
Optional.
300 seconds by default
Enabling ACL checking of de-encapsulated IPsec packets
In tunnel mode, the IP packet that was encapsulated in an inbound IPsec packet might not be an
object that is specified by an ACL to be protected. For example, a forged packet is not an object to be
protected. If you enable ACL checking of de-encapsulated IPsec packets, all packets failing the
checking will be discarded, improving the network security.
To enable ACL checking of de-encapsulated IPsec packets:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enable ACL checking of
de-encapsulated IPsec
packets.
ipsec decrypt check
Optional.
Enabled by default.
Configuring the IPsec anti-replay function
The IPsec anti-replay function protects networks against anti-replay attacks by using a sliding
window mechanism called anti-replay window. This function checks the sequence number of each
received IPsec packet against the current IPsec packet sequence number range of the sliding
window. If the sequence number is not in the current sequence number range, the packet is
considered a replayed packet and is discarded.

Table of Contents

Other manuals for HPE FlexNetwork MSR Series

Preview: Configuration Guide
Configuration Guide861 pages
Preview: Comware 7 Layer 3 - Ip Services Configuration Guides
Comware 7 Layer 3 - Ip Services Configuration Guides554 pages
Preview: Guide
Guide213 pages
Preview: Command Reference
Command Reference120 pages
Preview: Comware 5 Layer 2 - Wan Access Configuration Guide
Comware 5 Layer 2 - Wan Access Configuration Guide420 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the HPE FlexNetwork MSR Series and is the answer not in the manual?

HPE FlexNetwork MSR Series Specifications

General IconGeneral
BrandHPE
ModelFlexNetwork MSR Series
CategoryNetwork Router
LanguageEnglish

Related product manuals