< Home

anti-replay enable

Function

The anti-replay enable command enables the anti-replay function for an IPSec tunnel.

The undo anti-replay enable command disables the anti-replay function for an IPSec tunnel.

By default, the anti-replay function of an IPSec tunnel is as follows:
  • In versions earlier than V600R007C20SPC600, the anti-replay function for an IPSec tunnel is disabled by default.
  • In V600R007C20SPC600 and later versions, the anti-replay function for an IPSec tunnel is enabled by default.

Format

anti-replay enable

undo anti-replay enable

Parameters

None

Views

Manual IPSec policy view, ISAKMP IPSec policy view, IPSec policy template view, IPSec profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the global IPSec anti-replay function is enabled. That is, all IPSec policies, IPSec policy templates, or IPSec profiles provide the anti-replay function. In some situations, however, the anti-reply function may need to be disabled in an IPSec tunnel to prevent normal service packets from being dropped incorrectly. For example, if QoS is performed for packets passing an IPSec tunnel, sequence numbers of service data packets may be different from those in common data packets. As a result, these service data packets are dropped as re-play attack packets. To prevent this problem, disable the anti-replay for this IPSec tunnel.

Precautions

In versions earlier than V600R007C20SPC600, the anti-replay function for an IPSec tunnel is controlled by the anti-replay enable command and is not affected by the ipsec anti-replay enable command).

In V600R007C20SPC600 and later versions, the anti-replay function for an IPSec tunnel is controlled by both the anti-replay enable command and the ipsec anti-replay enable command). The impacts are as follows:
  • If the anti-replay function is enabled globally and also for an IPSec tunnel, the anti-replay function is enabled for an IPSec tunnel.
  • If the anti-replay function is enabled globally but disabled for an IPSec tunnel, the anti-replay function is disabled for an IPSec tunnel.
  • If the anti-replay function is disabled globally but enabled or disabled for an IPSec tunnel, the anti-replay function is disabled for an IPSec tunnel.

Example

# Enable the anti-replay function for the IPSec tunnel that is established using the IPSec policy policy1.

<sysname> system-view
[sysname] ipsec policy policy1 10 isakmp
[sysname-ipsec-policy-isakmp-policy1-10] anti-replay enable
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >