Configuring packet information pre-extraction – H3C Technologies H3C SecPath F1000-E User Manual

183

IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets

not only makes no sense, but also consumes large amounts of resources and degrades performance,
resulting in DoS. IPsec anti-replay checking, when enabled, is performed before the de-encapsulation

process, reducing resource waste.
In some cases, however, the sequence numbers of some normal service data packets may be out of the

current sequence number range, and the IPsec anti-replay function may drop them as well, affecting the
normal communications. If this happens, disable IPsec anti-replay checking or adjust the size of the

anti-replay window as required.
To configure IPsec anti-replay checking:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable IPsec

anti-replay checking.

ipsec anti-replay
check

Optional.
Enabled by default. Do not disable it unless it needs to
be disabled.

3.

Set the size of the IPsec

anti-replay window.

ipsec anti-replay
window width

Optional.
32 by default.
A wider anti-replay window results in higher resource
cost and more system performance degradation,

which is against the original intention of the IPsec
anti-replay function. Specify an anti-replay window

size that is as small as possible.

NOTE:

IPsec anti-replay checking does not affect manually created IPsec SAs. According to the IPsec protocol,
only IPsec SAs negotiated by IKE support anti-replay checking.

Configuring packet information pre-extraction

If you apply both an IPsec policy and QoS policy to an interface, by default, the interface first uses IPsec

and then QoS to process IP packets, and QoS classifies packets by the headers of IPsec-encapsulated

packets. If you want QoS to classify packets by the headers of the original IP packets, enable the packet

information pre-extraction feature.
For more information about QoS policy and classification, see Network Management Configuration

Guide.
To configure packet information pre-extraction:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter IPsec policy view or
IPsec policy template view.

•

To enter IPsec policy view:
ipsec policy policy-name seq-number

[ isakmp | manual ]

•

To enter IPsec policy template view:

ipsec policy-template template-name

seq-number

Configure either
command.