Enabling Acl Checking Of De-Encapsulated Ipsec Packets; Configuring The Ipsec Anti-Replay Function - HP 3600 v2 Series Configuration Manual
Hide thumbs
Also See for 3600 v2 Series:
- Command reference manual (510 pages) ,
- Configuration manual (441 pages) ,
- Security configuration manual (398 pages)
Table of Contents
Advertisement
Subsequent data flows search the session entries according to the quintuplet to find a matched item. If
found, the data flows are processed according to the tunnel information; otherwise, they are processed
according to the original IPsec process: search the policy group or policy at the interface, and then the
matched tunnel.
The session processing mechanism of IPsec saves intermediate matching procedures, improving the IPsec
forwarding efficiency.
To set the IPsec session idle timeout:
Step
1.
Enter system view.
2.
Set the IPsec session idle
timeout.
Enabling ACL checking of de-encapsulated IPsec packets
This feature is supported only in FIPS mode.
In tunnel mode, the IP packet that was encapsulated in an inbound IPsec packet may not be an object
that is specified by an ACL to be protected. For example, a forged packet is not an object to be protected.
If you enable ACL checking of de-encapsulated IPsec packets, all packets failing the checking will be
discarded, improving the network security.
To enable ACL checking of de-encapsulated IPsec packets:
Step
1.
Enter system view.
2.
Enable ACL checking of
de-encapsulated IPsec
packets.
Configuring the IPsec anti-replay function
This feature is supported only in FIPS mode.
The IPsec anti-replay function protects networks against anti-replay attacks by using a sliding window
mechanism called anti-replay window. This function checks the sequence number of each received IPsec
packet against the current IPsec packet sequence number range of the sliding window. If the sequence
number is not in the current sequence number range, the packet is considered a replayed packet and is
discarded.
IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets
not only makes no sense, but also consumes large amounts of resources and degrades performance,
resulting in DoS. IPsec anti-replay checking, when enabled, is performed before the de-encapsulation
process, reducing resource waste.
In some cases, however, the sequence numbers of some normal service data packets may be out of the
current sequence number range, and the IPsec anti-replay function may drop them as well, affecting the
normal communications. If this happens, disable IPsec anti-replay checking or adjust the size of the
anti-replay window as required.
Command
system-view
ipsec session idle-time seconds
Command
system-view
ipsec decrypt check
282
Remark
N/A
Optional.
300 seconds by default.
Remarks
N/A
Optional.
Enabled by default.
Advertisement
Table of Contents
Troubleshooting
