No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Enabling the Anti-replay Function

(Optional) Enabling the Anti-replay Function

Context

Replayed packets are packets that have been processed. IPSec uses the sliding window (anti-replay window) mechanism to check replayed packets. Each AH or ESP packet has a 32-bit sequence number. In an SA, sequence numbers of packets increase. If the sequence number of a received authenticated packet is the same as that of a decapsulated packet or if the sequence number is out of the sliding window, the device considers the packet as a replayed packet.

Decapsulating replayed packets consumes many resources and makes system performance deteriorate, resulting in a Denial Of Service (DoS) attack. After the anti-replay function is enabled, the system discards replayed packets and does not encapsulate them, saving system resources.

In some situations, for example, when network congestion occurs or QoS is performed for packets, the sequence numbers of some service data packets may be different from those in common data packets. The device that has IPSec anti-replay enabled considers the packets as replayed packets and discards them. You can disable global IPSec anti-replay to prevent packets from being discarded incorrectly or adjust the IPSec anti-replay window size to meet service requirements.

The anti-replay function can be configured globally or in an IPSec profile.
  • Configuring the anti-replay function globally

    The global anti-replay function is valid for all created IPSec profiles. When the same anti-replay window parameters need to be set for many IPSec profiles, you do not need to run commands one by one. You just need to set global parameters. The configuration efficiency is therefore improved.

  • Configuring the anti-replay function in an IPSec profile

    The anti-replay function can be configured separately for an IPSec profile. In this case, the anti-replay function for the IPSec profile is not affected by the global configuration.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Enable the anti-replay function. Run the following commands as required.

    • Enable the anti-replay function globally.

      1. Run ipsec anti-replay enable

        The anti-replay function is enabled globally.

      2. Run ipsec anti-replay window window-size

        The global IPSec anti-replay window size is configured.

        By default, the IPSec anti-replay window size is 1024 bits.

    • Enable the anti-replay function in an IPSec policy.

      1. Run ipsec profile profile-name

        An IPSec profile is created and the IPSec profile view is displayed.

      2. Run anti-replay window window-size

        The IPSec anti-replay window size is configured in the IPSec profile.

      By default, the anti-replay window size of a single IPSec tunnel is not set. The global value is used.

Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31802

Downloads: 45

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next