319
Usage guidelines
The IKE profile referenced by an IPsec policy or IPsec policy template defines the parameters used for IKE
negotiation.
An IPsec policy or IPsec policy template can reference only one IKE profile and they cannot reference any
IKE profile that is already referenced by another IPsec policy or IPsec policy template.
Examples
# Specify IPsec policy policy1 to reference IKE profile profile1.
<Sysname> system-view
[Sysname] ipsec policy policy1 10 isakmp
[Sysname-ipsec-policy-isakmp-policy1-10] ike-profile profile1
Related commands
ike profile
ipsec anti-replay check
Use ipsec anti-replay check to enable IPsec anti-replay checking.
Use undo ipsec anti-replay check to disable IPsec anti-replay checking.
Syntax
ipsec anti-replay check
undo ipsec anti-replay check
Default
IPsec anti-replay checking is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is
not necessary but consumes large amounts of resources and degrades performance, resulting in DoS.
IPsec anti-replay checking, when enabled, is performed before the de-encapsulation process, reducing
resource waste.
In some situations, service data packets are received in a different order than their original order. The
IPsec anti-replay function drops them as replayed packets, which impacts communications. If this
happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required.
IPsec anti-replay checking does not affect manually created IPsec SAs. According to the IPsec protocol,
only IPsec SAs negotiated by IKE support anti-replay checking.
Examples
# Enable IPsec anti-replay checking.
<Sysname> system-view
[Sysname] ipsec anti-replay check
To Next Page
Loading...
Need help?
General
