No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring IPsec Anti-Replay

Configuring IPsec Anti-Replay

IPsec anti-replay can prevent IPsec from replay attacks and improve reliability of IPsec tunnels.

Context

You can configure the IPSec anti-replay window using the following two methods:

  • Global configuration

    A globally configured IPSec anti-replay window takes effect on all existing IPSec policies (except those who have local anti-replay windows), and therefore enhances configuration efficiency. You can configure a global parameter for all the IPSec policies that need a same window size instead of manually executing commands for each IPSec policy.

  • Local configuration

    You can set an anti-replay window separately for a single IPSec policy. A separately configured anti-replay window has precedence over the global anti-replay window.

For details about the IPsec anti-replay feature, see Configuring IPsec Security.

NOTE:

To ensure normal service operation, any configuration of the IPSec anti-replay window takes effect only on the IPSec policies being negotiated right after being created or that being renegotiated, but not on the negotiated IPSec policies.

Procedure

  • Global configuration
    1. Run system-view

      The system view is displayed.

    2. Run ipsec sa global anti-replay disable

      The anti-replay function is globally disabled.

      During global inspection of packet sequence number, disable ipsec sa global anti-replay switch if there are packet loss and at the same time a lot of replay tunnel releases. If the number of tunnel replay packet loss is less, you can refer to the policy under heavy anti-reply switch.

      If the current network is subjected to replay attacks, you can open the anti-replay switch. If the existing network scenario is more complex, such that the normal sequence of packets cannot be reached, you can turn off the anti-replay switch.

    3. (Optional) Run ipsec sa global anti-replay window window-size

      The IPSec anti-replay window size is globally configured.

    4. Run commit

      The configuration is committed.

  • Partial configuration
    1. Run system-view

      The system view is displayed.

    2. Enter the IPsec policy view or IPsec policy template view based on actual requirements.

      • Run the ipsec policy policy-name sequence-number command to enter the IPsec policy view.
      • Run the ipsec policy-template template-name sequence-number command to enter the IPsec policy template view.

    3. (Optional) Run sa anti-replay { enable | disable }

      The anti-replay function is started in an IPSec policy or an IPSec policy template.

    4. (Optional) Run sa anti-replay window window-size

      The anti-reply window size is configured.

      If the anti-replay window is not separately configured for an IPsec policy after the anti-replay window in the IPsec policy is enabled, the IPsec policy uses anti-reply window size in the global configuration.

    5. Run commit

      The configuration is committed.

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 21992

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next