Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS Software Releases 12.3 T

IPSec Anti-Replay Window: Expanding and Disabling

Downloads

Table Of Contents

IPsec Anti-Replay Window: Expanding
and Disabling

Contents

Prerequisites for IPsec Anti-Replay Window: Expanding
and Disabling

Information About IPsec Anti-Replay Window: Expanding
and Disabling

IPsec Anti-Replay Window

How to Configure IPsec Anti-Replay Window: Expanding
and Disabling

Configuring IPsec Anti-Replay Window: Expanding and Disabling Globally

Configuring IPsec Anti-Replay Window: Expanding and Disabling
on a Crypto Map

Troubleshooting Tips

Configuration Examples for IPsec Anti-Replay
Window: Expanding and Disabling

Global Expanding and Disabling of an Anti-Replay Window: Example

Expanding and Disabling of an Anti-Replay Window for a Particular Crypto Map, Dynamic Crypto Map, or Crypto Profile: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

crypto ipsec security-association replay disable

crypto ipsec security-association replay window-size

set security-association replay disable

set security-association replay window-size


IPsec Anti-Replay Window: Expanding
and Disabling

First Published: February 28, 2005
Last Updated: September 12, 2006

Cisco IP security (IPsec) authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. The decryptor keeps track of which packets it has seen on the basis of these numbers. Currently, the default window size is 64 packets. Generally, this number (window size) is sufficient, but there are times when you may want to expand this window size. The IPsec Anti-Replay Window: Expanding and Disabling feature allows you to expand the window size, allowing the decryptor to keep track of more than 64 packets.

History for the IPsec Anti-Replay Window: Expanding and Disabling Feature

Release
Modification

12.3(14)T

This feature was introduced.

12.2(33)SRA

This feature was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(18)SXF6

This feature was integrated into Cisco IOS Release 12.2(18)SXF6.


Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Prerequisites for IPsec Anti-Replay Window: Expanding and Disabling

Information About IPsec Anti-Replay Window: Expanding and Disabling

How to Configure IPsec Anti-Replay Window: Expanding and Disabling

Configuration Examples for IPsec Anti-Replay Window: Expanding and Disabling

Additional References

Command Reference

Prerequisites for IPsec Anti-Replay Window: Expanding
and Disabling

Before configuring this feature, you should have already created a crypto map or crypto profile.

Information About IPsec Anti-Replay Window: Expanding
and Disabling

To configure the IPsec Anti-Replay Window: Expanding and Disabling feature, you should understand the following concept:

IPsec Anti-Replay Window

IPsec Anti-Replay Window

Cisco IPsec authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. (Security association [SA] anti-replay is a security service in which the receiver can reject old or duplicate packets to protect itself against replay attacks.) The decryptor checks off the sequence numbers that it has seen before. The encryptor assigns sequence numbers in an increasing order. The decryptor remembers the value X of the highest sequence number that it has already seen. N is the window size, and the decryptor also remembers whether it has seen packets having sequence numbers from X-N+1 through X. Any packet with the sequence number X-N is discarded. Currently, N is set at 64, so only 64 packets can be tracked by the decryptor.

At times, however, the 64-packet window size is not sufficient. For example, Cisco quality of service (QoS) gives priority to high-priority packets, which could cause some low-priority packets to be discarded even though they could be one of the last 64 packets received by the decryptor. The IPsec Anti-Replay Window: Expanding and Disabling feature allows you to expand the window size, allowing the decryptor to keep track of more than 64 packets.

Increasing the anti-replay window size has no impact on throughput and security. The impact on memory is insignificant because only an extra 128 bytes per incoming IPsec SA is needed to store the sequence number on the decryptor. It is recommended that you use the full 1024 window size to eliminate any future anti-replay problems.

How to Configure IPsec Anti-Replay Window: Expanding
and Disabling

This section contains the following procedures:

Configuring IPsec Anti-Replay Window: Expanding and Disabling Globally (optional)

Configuring IPsec Anti-Replay Window: Expanding and Disabling on a Crypto Map (optional)

Configuring IPsec Anti-Replay Window: Expanding and Disabling Globally

To configure IPsec Anti-Replay Window: Expanding and Disabling globally (so that it affects all SAs that are created— except for those that are specifically overridden on a per-crypto map basis), perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. crypto ipsec security-association replay window-size [N]

4. crypto ipsec security-association replay disable

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

crypto ipsec security-association replay window-size [N]

Example:

Router (config)# crypto ipsec security-association replay window-size 256

Sets the size of the SA replay window globally.

Note Configure this command or the crypto ipsec security-association replay disable command. The two commands are not used at the same time.

Step 4 

crypto ipsec security-association replay disable

Example:

Router (config)# crypto ipsec security-association replay disable

Disables checking globally.

Note Configure this command or the crypto ipsec security-association replay window-size command. The two commands are not used at the same time.

Configuring IPsec Anti-Replay Window: Expanding and Disabling
on a Crypto Map

To configure IPsec Anti-Replay Window: Expanding and Disabling on a crypto map so that it affects those SAs that have been created using a specific crypto map or profile, perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. crypto map map-name seq-num [ipsec-isakmp]

4. set security-association replay window-size [N]

5. set security-association replay disable

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

crypto map map-name seq-num [ipsec-isakmp]

Example:

Router (config)# crypto map ETHO 17 ipsec-isakmp

Enters crypto map configuration mode and creates a crypto profile that provides a template for configuration of dynamically created crypto maps.

Step 4 

set security-association replay window-size [N]

Example:

Router (crypto-map)# set security-association replay window-size 128

Controls the SAs that are created using the policy specified by a particular crypto map, dynamic crypto map, or cyrpto profile.

Note Configure this command or the set security-association replay disable command. The two commands are not used at the same time.

Step 5 

set security-association replay disable

Example:

Router (crypto-map)# set security-association replay disable

Disables replay checking for a particular crypto map, dynamic crypto map, or crypto profile.

Note Configure this command or the set security-association replay window-size command. The two commands are not used at the same time.

Troubleshooting Tips

If your replay window size has not been set to a number that is high enough for the number of packets received, you will receive a system message such as the following: 

*Nov 17 19:27:32.279: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed 
connection id=1

The above message is generated when a received packet is judged to be outside the anti-replay window.

Configuration Examples for IPsec Anti-Replay
Window: Expanding and Disabling

This section includes the following configuration examples:

Global Expanding and Disabling of an Anti-Replay Window: Example

Expanding and Disabling of an Anti-Replay Window for a Particular Crypto Map, Dynamic Crypto Map, or Crypto Profile: Example

Global Expanding and Disabling of an Anti-Replay Window: Example

The following example shows that the anti-replay window size has been set globally to 1024: 

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname VPN-Gateway1

!


boot-start-marker

boot-end-marker

!

!

clock timezone EST 0

no aaa new-model

ip subnet-zero

!

!

ip audit po max-events 100

no ftp-server write-enable

!

!

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key cisco123 address 192.165.201.2 !

crypto ipsec security-association replay window-size 1024 !

crypto ipsec transform-set basic esp-des esp-md5-hmac !

crypto map mymap 10 ipsec-isakmp

 set peer 192.165.201.2

 set transform-set basic

 match address 101

!

!

interface Ethernet0/0

 ip address 192.168.1.1 255.255.255.0

!

interface Serial1/0

 ip address 192.165.200.2 255.255.255.252  serial restart-delay 0  crypto map mymap !

ip classless

ip route 0.0.0.0 0.0.0.0 192.165.200.1

no ip http server

no ip http secure-server

!

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 172.16.2.0 0.0.0.255 access-list 101 
remark Crypto ACL 

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

!

!

end

Expanding and Disabling of an Anti-Replay Window for a Particular Crypto Map, Dynamic Crypto Map, or Crypto Profile: Example

The following example shows that anti-replay checking is disabled for IPsec connections to 172.17.150.2 but enabled (and the default window size is 64) for IPsec connections to 172.17.150.3 and 172.17.150.4: 

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname networkserver1

!

enable secret 5 $1$KxKv$cbqKsZtQTLJLGPN.tErFZ1 enable password ww !

ip subnet-zero

!

cns event-service server


crypto isakmp policy 1

authentication pre-share


crypto isakmp key cisco170 address 172.17.150.2 crypto isakmp key cisco180 address 
172.17.150.3 crypto isakmp key cisco190 address 172.17.150.4


crypto ipsec transform-set 170cisco esp-des esp-md5-hmac crypto ipsec transform-set 
180cisco esp-des esp-md5-hmac crypto ipsec transform-set 190cisco esp-des esp-md5-hmac


crypto map ETH0 17 ipsec-isakmp

 set peer 172.17.150.2

 set security-association replay disable set transform-set 170cisco match address 170 
crypto map ETH0 18 ipsec-isakmp  set peer 192.168.1.3 set transform-set 180cisco match 
address 180 crypto map ETH0 19 ipsec-isakmp set peer 192.168.1.4 set transform-set 
190cisco match address 190 !

interface Ethernet0

 ip address 172.17.150.1 255.255.255.0

 no ip directed-broadcast

 no ip route-cache

 no ip mroute-cache

 no mop enabled

 crypto map ETH0

!

interface Serial0

 ip address 172.16.160.1 255.255.255.0

 no ip directed-broadcast

 no ip mroute-cache

 no fair-queue

!

ip classless

ip route 172.18.170.0 255.255.255.0 172.17.150.2 ip route 172.19.180.0 255.255.255.0 
172.17.150.3 ip route 172.20.190.0 255.255.255.0 172.17.150.4 no ip http server !


access-list 170 permit ip 172.16.160.0 0.0.0.255 172.18.170.0 0.0.0.255 access-list 180 
permit ip 172.16.160.0 0.0.0.255 172.19.180.0 0.0.0.255 access-list 190 permit ip 
172.16.160.0 0.0.0.255 172.20.190.0 0.0.0.255 !

dialer-list 1 protocol ip permit

dialer-list 1 protocol ipx permit

!

line con 0

transport input none

line aux 0

line vty 0 4

password ww

login

end

Additional References

The following sections provide references related to IPsec Anti-Replay Window: Expanding and Disabling.

Related Documents

Related Topic
Document Title

Cisco IOS commands

Cisco IOS Security Command Reference, Release 12.3T

IP security and encryption

"IP Security and Encryption" section of Cisco IOS Security Configuration Guide, Release 12.3


Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


MIBs

MIBs
MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFCs
Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.


Technical Assistance

Description
Link

The Cisco Technical Support & Documentation website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport


Command Reference

This section documents modified commands only.

crypto ipsec security-association replay disable

crypto ipsec security-association replay window-size

set security-association replay disable

set security-association replay window-size

crypto ipsec security-association replay disable

To disable anti-replay checking globally, use the crypto ipsec security-association replay disable command in global configuration mode. To reset the configuration to enable anti-replay checking, use the no form of this command.

crypto ipsec security-association replay disable

no crypto ipsec security-association replay disable

Syntax Description

This command has no arguments or keywords.

Defaults

Anti-replay checking is enabled.

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(18)SXF6

This command was integrated into Cisco IOS Release 12.2(18)SXF6.


Examples

The following example shows that anti-replay checking has been disabled globally: 

crypto map mymap 10

exit

crypto ipsec security-association replay disable

Related Commands

Command
Description

crypto ipsec security-association replay window-size

Sets the size of the SA anti-replay window.


crypto ipsec security-association replay window-size

To set the size of the security association (SA) anti-replay window globally, use the crypto ipsec security-association replay window-size command in global configuration mode. To reset the window size to the default of 64, use the no form of this command.

crypto ipsec security-association replay window-size [N]

no crypto ipsec security-association replay window-size

Syntax Description

N

(Optional) Size of the window. Values can be 64, 128, 256, 512, or 1024. This value becomes the default value.

Note The window size is significant only if anti-replay checking is enabled.


Defaults

If a window size is not entered, the default is 64.

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(18)SXF6

This command was integrated into Cisco IOS Release 12.2(18)SXF6.


Examples

The following example shows that the size of the SA anti-replay window has been set globally to 128: 

crypto map mymap 20

exit

crypto ipsec security-association replay window-size 128

Related Commands

Command
Description

crypto ipsec security-association replay disable

Disables anti-replay checking.


set security-association replay disable

To disable anti-replay checking for a particular crypto map, dynamic crypto map, or crypto profile, use the set security-association replay disable command in crypto map configuration or crypto profile configuration mode. To enable anti-replay checking, use the no form of this command.

set security-association replay disable

no set security-association replay disable

Syntax Description

This command has no arguments or keywords.

Defaults

Anti-replay checking is enabled.

Command Modes

Crypto map configuration
Crypto profile configuration

Command History

Release
Modification

12.3(14)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(18)SXF6

This command was integrated into Cisco IOS Release 12.2(18)SXF6.


Examples

The following example shows that anti-replay checking has been disabled for the crypto map named "mymap." 

crypto map mymap 30

set security-association replay disable

Related Commands

Command
Description

set security-association replay window-size

Controls the SAs that are created using the policy specified by a particular crypto map, dynamic crypto map, or crypto profile.


set security-association replay window-size

To control the security associations (SAs) that are created using the policy specified by a particular crypto map, dynamic crypto map, or crypto profile, use the set security-association replay window-size command in crypto map configuration or crypto profile configuration mode. To reset the crypto map to follow the global configuration that was specified by the crypto ipsec security-association replay window-size command, use the no form of this command.

set security-association replay window-size [N]

no set security-association replay window-size

Syntax Description

N

(Optional) Size of the window. The value can be 64, 128, 256, 512, or 1024. This value sets the window size for a particular crypto map, dynamic crypto map, or crypto profile.


Defaults

Window size is not set.

Command Modes

Crypto map configuration
Crypto profile configuration

Command History

Release
Modification

12.3(14)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(18)SXF6

This command was integrated into Cisco IOS Release 12.2(18)SXF6.


Examples

The following example shows that the SA window size has been set to 256 for the crypto map named "mymap": 

crypto map mymap 10

set security-association replay window-size 256

Related Commands

Command
Description

set security-association replay disable

Disables anti-replay checking for a particular crypto map, dynamic crypto map, or crypto profile.



Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2005-2006 Cisco Systems, Inc. All rights reserved.