Replayed packets are packets that have been processed. IPSec uses the sliding window (anti-replay window) mechanism to check replayed packets. Each AH or ESP packet has a 32-bit sequence number. In an SA, sequence numbers of packets increase. If the sequence number of a received authenticated packet is the same as that of a decapsulated packet or if the sequence number is out of the sliding window, the device considers the packet as a replayed packet.
Decapsulating replayed packets consumes many resources and makes system performance deteriorate, resulting in a Denial Of Service (DoS) attack. After the anti-replay function is enabled, the system discards replayed packets and does not encapsulate them, saving system resources.
In some situations, for example, when network congestion occurs or QoS is performed for packets, the sequence numbers of some service data packets may be different from those in common data packets. The device that has IPSec anti-replay enabled considers the packets as replayed packets and discards them. You can disable global IPSec anti-replay to prevent packets from being discarded incorrectly or adjust the IPSec anti-replay window size to meet service requirements.
Configuring the anti-replay function globally
The global anti-replay function is valid for all created IPSec profiles. When the same anti-replay window parameters need to be set for many IPSec profiles, you do not need to run commands one by one. You just need to set global parameters. The configuration efficiency is therefore improved.
Configuring the anti-replay function in an IPSec profile
The anti-replay function can be configured separately for an IPSec profile. In this case, the anti-replay function for the IPSec profile is not affected by the global configuration.
The system view is displayed.
Enable the anti-replay function globally.
The anti-replay function is enabled globally.
Run ipsec anti-replay window window-size
The global IPSec anti-replay window size is configured.
By default, the IPSec anti-replay window size is 1024 bits.
Enable the anti-replay function in an IPSec policy.
Run ipsec profile profile-name
An IPSec profile is created and the IPSec profile view is displayed.
The anti-replay function is enabled in the IPSec profile.
Run anti-replay window window-size
The IPSec anti-replay window size is configured in the IPSec profile.
By default, the anti-replay window size of a single IPSec tunnel is not set. The global value is used.