169
IPsec packet de-encapsulation involves complicated calculation and consumes large amounts of
resources and degrades performance, resulting in DoS. IPsec anti-replay checking, when enabled,
is performed before the de-encapsulation process, reducing resource waste.
In some cases, however, the sequence numbers of some normal service data packets might be out
of the current sequence number range, and the IPsec anti-replay function might drop them as well,
affecting the normal communications. If this happens, disable IPsec anti-replay checking or adjust
the size of the anti-replay window as required.
IPsec anti-replay checking does not affect manually created IPsec SAs. According to the IPsec
protocol, only IPsec SAs negotiated by IKE support anti-replay checking.
IMPORTANT:
• IPsec anti-replay checking is enabled by default. Do not disable it unless it needs to be disabled.
• A wider anti-replay window results in higher resource cost and more system performance
degradation, which is against the original intention of the IPsec anti-replay function. Specify an
anti-replay window size that is as small as possible.
To configure IPsec anti-replay checking:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enable IPsec anti-replay
checking.
ipsec anti-replay check
Optional.
Enabled by default.
3. Set the size of the IPsec
anti-replay window.
ipsec anti-replay window
width
Optional.
32 by default.
Configuring a shared source interface policy group
For higher network reliability, a core device is usually connected to the ISP through two links, which
operate in backup or load sharing mode. If you apply different IPsec policy groups to the two
interfaces, the two interfaces negotiate with their peers to establish IPsec SAs respectively. In this
case, when one interface fails and failover occurs, the other interface needs to take some time to
negotiate SAs first, resulting in service interruption. In addition, you must make sure that the IPsec
policy groups use the same encryption policy.
To solve the problems, configure a shared source interface policy group and apply it to both
interfaces. This enables the two physical interfaces to use the same source interface to negotiate
IPsec SAs dynamically. As long as the source interface stays up, the negotiated IPsec SAs will not
be removed and will keep working, regardless of which physical interface or link is functioning.
Only loopback interfaces can act as source interfaces.
To configure an IPsec policy group as a shared source interface policy group:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Configure an IPsec policy
group as a shared source
interface policy group.
ipsec policy
policy-name
local-address loopback
number
By default, an IPsec policy group
is not a shared source interface
policy group.
One shared source interface policy group can be bound to only one source interface, and one source
interface can be bound with only one shared source interface policy group.
To Next Page
Loading...
Need help?
General
