Enabling the encryption engine, Configuring the ipsec anti-replay function – H3C Technologies H3C SecPath F1000-E User Manual
Page 194
182
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter interface view.
interface interface-type
interface-number
N/A
3.
Apply an IPsec policy group
to the interface.
ipsec policy policy-name
An interface can reference only
one IPsec policy group. An IPsec
policy that uses IKE can be applied
to more than one interface, but a
manual IPsec policy can be
applied to only one interface.
Enabling the encryption engine
The encryption engine is a coprocessor that provides an encryption/decryption algorithm interface for
IPsec processing. When enabled, the encryption engine performs IPsec processing.
To enable the encryption engine:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enable the encryption engine. cryptoengine enable
Optional.
Enabled by default.
Enabling ACL checking of de-encapsulated IPsec packets
In tunnel mode, the IP packet that was encapsulated in an inbound IPsec packet may not be an object
that is specified by an ACL to be protected. For example, a forged packet is not an object to be protected.
If you enable ACL checking of de-encapsulated IPsec packets, all packets failing the checking will be
discarded, improving the network security.
To enable ACL checking of de-encapsulated IPsec packets:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enable ACL checking of
de-encapsulated IPsec packets.
ipsec decrypt check
Optional.
Enabled by default.
Configuring the IPsec anti-replay function
The IPsec anti-replay function protects networks against anti-replay attacks by using a sliding window
mechanism called anti-replay window. This function checks the sequence number of each received IPsec
packet against the current IPsec packet sequence number range of the sliding window. If the sequence
number is not in the current sequence number range, the packet is considered a replayed packet and is
discarded.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS