Enabling acl checking for de-encapsulated packets, Configuring the ipsec anti-replay function – H3C Technologies H3C S12500-X Series Switches User Manual

Page 152

Advertising
background image

140

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter interface view.

interface interface-type
interface-number

N/A

3.

Apply an IPsec policy to the
interface.

ipsec apply { policy | ipv6-policy }
policy-name

By default, no IPsec policy is
applied to the interface.
An interface can reference only
one IPsec policy.
An IKE-mode IPsec policy can be

applied to multiple interfaces, and
a manual IPsec policy can be

applied to only one interface.

243B

Enabling ACL checking for de-encapsulated packets

This feature uses the ACL in the IPsec policy to match the IP packets that are de-encapsulated from

incoming IPsec packets in tunnel mode, and it discards the IP packets that fail to match the ACL to avoid

attacks using forged packets.
To enable ACL checking for de-encapsulated packets:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable ACL checking for
de-encapsulated packets.

ipsec decrypt-check enable

By default, this feature is enabled.

244B

Configuring the IPsec anti-replay function

The IPsec anti-replay function protects networks against anti-replay attacks by using a sliding window
mechanism called anti-replay window. This function checks the sequence number of each received IPsec

packet against the current IPsec packet sequence number range of the sliding window. If the sequence

number is not in the current sequence number range, the packet is considered a replayed packet and is

discarded.
IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is

not required, and the de-encapsulation process consumes large amounts of resources and degrades

performance, resulting in DoS. IPsec anti-replay can check and discard replayed packets before

de-encapsulation.
In some situations, service data packets are received in a different order than their original order. The

IPsec anti-replay function drops them as replayed packets, which impacts communications. If this

happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required.
IPsec anti-replay does not affect manually created IPsec SAs. According to the IPsec protocol, only
IKE-based IPsec SAs support anti-replay checking.

Advertising
This manual is related to the following products:

H3C S5560 Series Switches, H3C WX6000 Series Access Controllers, H3C WX5000 Series Access Controllers, H3C WX3000 Series Unified Switches, H3C LSWM1WCM10 Access Controller Module, H3C LSWM1WCM20 Access Controller Module, H3C LSQM1WCMB0 Access Controller Module, H3C LSRM1WCM2A1 Access Controller Module, H3C LSBM1WCM2A0 Access Controller Module, H3C S9800 Series Switches, H3C S5130 Series Switches, H3C S5120 Series Switches

Popular Brands
Popular manuals