-
Cisco IOS Security Configuration Guide, Release 12.4
- Authentication, Authorization, and Accounting (AAA)
-
Security Server Protocols
-
RADIUS
-
Configuring RADIUS
-
AAA Dead-Server Detection
-
ACL Default Direction
-
Attribute Screening for Access Requests
-
Enable Multilink PPP via RADIUS for Preauthentication User
-
Enhanced Test Command
-
Framed-Route in RADIUS Accounting
-
Offload Server Accounting Enhancement
-
Per VRF AAA
-
RFC-2867 RADIUS Tunnel Accounting
-
RADIUS Attribute Screening
-
RADIUS Centralized Filter Management
-
RADIUS Debug Enhancements
-
RADIUS Logical Line ID
-
RADIUS NAS-IP-Address Attribute Configurability
-
RADIUS Route Download
-
RADIUS Support of 56-Bit Acct Session-Id
-
RADIUS Tunnel Preference for Load Balancing and Fail-Over
-
RADIUS Server Reorder on Failure
-
Tunnel Authentication via RADIUS on Tunnel Terminator
-
- TACACS+
-
Configuring Kerberos
-
RADIUS
-
Traffic Filtering, Firewalls, and Virus Detection
-
Access Control Lists: Overview and Guidelines
-
Cisco IOS Firewall Overview
-
Configuring Lock-and-Key Security (Dynamic Access Lists)
-
Configuring IP Session Filtering (Reflexive Access Lists)
-
Configuring TCP Intercept (Preventing Denial-of-Service Attacks)
-
Context-Based Access Control
-
Configuring Context-based Access Control
-
Cisco IOS Firewall Performance Improvements
-
Email Inspection Engine
-
ESMTP Support for Cisco IOS Firewall
-
Firewall ACL Bypass
-
Firewall N2H2 Support
-
Firewall Stateful Inspection of ICMP
-
Firewall Support for SIP
-
Firewall Websense URL Filtering
-
Firewall Support of Skinny Client Control Protocol (SCCP)
-
Granular Protocol Inspection
-
HTTP Inspection Engine
-
Inspection of Router-Generated Traffic
-
Transparent Cisco IOS Firewall
-
Virtual Fragmentation Reassembly
-
-
Configuring Cisco IOS Intrusion Prevention System (IPS)
-
Network Admission Control
- Authentication Proxy
-
Configuring Port to Application Mapping
-
-
IPSec and IKE
- Internet Key Exchange for IPSec VPNs
-
Security for VPNs with IPSec
-
Configuring Security for VPNs with IPSec
-
Cisco Easy VPN Remote
-
Crypto Access Check on Clear-Text Packets
-
DF Bit Override Functionality with IPsec Tunnels
-
Distinguished Name Based Crypto Maps
-
Dynamic Multipoint VPN (DMVPN)
-
Easy VPN Remote RSA Signature Support
-
Easy VPN Server
-
Invalid Security Parameter Index Recovery
-
IP Security VPN Monitoring
-
IPsec and Quality of Service
-
IPSec Anti-Replay Window: Expanding and Disabling
-
IPsec Dead Peer Detection Periodic Message Option
-
IPsec NAT Transparency
-
IPSec Preferred Peer
-
IPsec Security Association Idle Timers
-
IPsec--SNMP Support
-
IPSec Virtual Tunnel Interface
-
IPsec VPN Accounting
-
IPsec VPN High Availability Enhancements
-
Low Latency Queueing (LLQ) for IPsec Encryption Engines
-
L2TP—IPsec Support for NAT and PAT Windows Clients
-
Pre-Fragmentation for IPsec VPNs
-
Real-Time Resolution for IPsec Tunnel Peer
-
Reverse Route Injection
-
SafeNet IPSec VPN Client Support
-
Stateful Failover for IPsec
-
VRF-Aware Ipsec
-
-
Public Key Infrastructure (PKI)
-
Implementing and Managing PKI Features Roadmap
-
Cisco IOS PKI Overview: Understanding and Planning a PKI
-
Deploying RSA Keys Within a PKI
-
Configuring Authorization and Revocation of Certificates in a PKI
-
Configuring Certificate Enrollment for a PKI
-
Setting Up Secure Device Provisioning (SDP) for Enrollment in a PKI
-
Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment
-
Storing PKI Credentials
-
- Other Security Features
- Secure Infrastructure
-
Appendixes
-
RADIUS Attributes
-
RADIUS Attributes Overview and RADIUS IETF Attributes
-
RADIUS Vendor-Proprietary Attributes
-
Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values
-
Connect-Info RADIUS Attribute 77
-
Encrypted Vendor Specific Attributes
-
Local AAA Server
-
Per-User QoS via AAA Policy Name
-
RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level
-
RADIUS Attribute 8 (Framed-IP-Address) in Access Requests
-
RADIUS Attribute 82: Tunnel Assignment ID
-
RADIUS Attribute 104
-
RADIUS Progress Codes
-
RADIUS Timeout Set During Pre-Authentication
-
RADIUS Tunnel Attribute Extensions
-
V.92 Reporting Using RADIUS Attribute v.92-info
-
TACACS+ Attribute-Value Pairs
-
-
TACACS+ Attribute-Value Pairs
-
RADIUS Attributes
Table Of Contents
IPsec Anti-Replay Window: Expanding
and DisablingPrerequisites for IPsec Anti-Replay Window: Expanding
and DisablingInformation About IPsec Anti-Replay Window: Expanding
and DisablingHow to Configure IPsec Anti-Replay Window: Expanding
and DisablingConfiguring IPsec Anti-Replay Window: Expanding and Disabling Globally
Configuring IPsec Anti-Replay Window: Expanding and Disabling
on a Crypto MapConfiguration Examples for IPsec Anti-Replay
Window: Expanding and DisablingGlobal Expanding and Disabling of an Anti-Replay Window: Example
IPsec Anti-Replay Window: Expanding
and Disabling
First Published: February 28, 2005Last Updated: September 12, 2006Cisco IP security (IPsec) authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. The decryptor keeps track of which packets it has seen on the basis of these numbers. Currently, the default window size is 64 packets. Generally, this number (window size) is sufficient, but there are times when you may want to expand this window size. The IPsec Anti-Replay Window: Expanding and Disabling feature allows you to expand the window size, allowing the decryptor to keep track of more than 64 packets.
History for the IPsec Anti-Replay Window: Expanding and Disabling Feature
Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for IPsec Anti-Replay Window: Expanding and Disabling
•
•
•
Prerequisites for IPsec Anti-Replay Window: Expanding
and Disabling•
Information About IPsec Anti-Replay Window: Expanding
and DisablingTo configure the IPsec Anti-Replay Window: Expanding and Disabling feature, you should understand the following concept:
IPsec Anti-Replay Window
Cisco IPsec authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. (Security association [SA] anti-replay is a security service in which the receiver can reject old or duplicate packets to protect itself against replay attacks.) The decryptor checks off the sequence numbers that it has seen before. The encryptor assigns sequence numbers in an increasing order. The decryptor remembers the value X of the highest sequence number that it has already seen. N is the window size, and the decryptor also remembers whether it has seen packets having sequence numbers from X-N+1 through X. Any packet with the sequence number X-N is discarded. Currently, N is set at 64, so only 64 packets can be tracked by the decryptor.
At times, however, the 64-packet window size is not sufficient. For example, Cisco quality of service (QoS) gives priority to high-priority packets, which could cause some low-priority packets to be discarded even though they could be one of the last 64 packets received by the decryptor. The IPsec Anti-Replay Window: Expanding and Disabling feature allows you to expand the window size, allowing the decryptor to keep track of more than 64 packets.
Increasing the anti-replay window size has no impact on throughput and security. The impact on memory is insignificant because only an extra 128 bytes per incoming IPsec SA is needed to store the sequence number on the decryptor. It is recommended that you use the full 1024 window size to eliminate any future anti-replay problems.
How to Configure IPsec Anti-Replay Window: Expanding
and DisablingThis section contains the following procedures:
•
•
Configuring IPsec Anti-Replay Window: Expanding and Disabling Globally
To configure IPsec Anti-Replay Window: Expanding and Disabling globally (so that it affects all SAs that are created— except for those that are specifically overridden on a per-crypto map basis), perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Configuring IPsec Anti-Replay Window: Expanding and Disabling
on a Crypto MapTo configure IPsec Anti-Replay Window: Expanding and Disabling on a crypto map so that it affects those SAs that have been created using a specific crypto map or profile, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Troubleshooting Tips
•
*Nov 17 19:27:32.279: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=1The above message is generated when a received packet is judged to be outside the anti-replay window.
Configuration Examples for IPsec Anti-Replay
Window: Expanding and DisablingThis section includes the following configuration examples:
•
Global Expanding and Disabling of an Anti-Replay Window: Example
The following example shows that the anti-replay window size has been set globally to 1024:
version 12.3service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname VPN-Gateway1!boot-start-markerboot-end-marker!!clock timezone EST 0no aaa new-modelip subnet-zero!!ip audit po max-events 100no ftp-server write-enable!!crypto isakmp policy 10authentication pre-sharecrypto isakmp key cisco123 address 192.165.201.2 !crypto ipsec security-association replay window-size 1024 !crypto ipsec transform-set basic esp-des esp-md5-hmac !crypto map mymap 10 ipsec-isakmpset peer 192.165.201.2set transform-set basicmatch address 101!!interface Ethernet0/0ip address 192.168.1.1 255.255.255.0!interface Serial1/0ip address 192.165.200.2 255.255.255.252 serial restart-delay 0 crypto map mymap !ip classlessip route 0.0.0.0 0.0.0.0 192.165.200.1no ip http serverno ip http secure-server!!access-list 101 permit ip 192.168.1.0 0.0.0.255 172.16.2.0 0.0.0.255 access-list 101 remark Crypto ACL!!control-plane!!line con 0line aux 0line vty 0 4!!endExpanding and Disabling of an Anti-Replay Window for a Particular Crypto Map, Dynamic Crypto Map, or Crypto Profile: Example
The following example shows that anti-replay checking is disabled for IPsec connections to 172.17.150.2 but enabled (and the default window size is 64) for IPsec connections to 172.17.150.3 and 172.17.150.4:
service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname networkserver1!enable secret 5 $1$KxKv$cbqKsZtQTLJLGPN.tErFZ1 enable password ww !ip subnet-zero!cns event-service servercrypto isakmp policy 1authentication pre-sharecrypto isakmp key cisco170 address 172.17.150.2 crypto isakmp key cisco180 address 172.17.150.3 crypto isakmp key cisco190 address 172.17.150.4crypto ipsec transform-set 170cisco esp-des esp-md5-hmac crypto ipsec transform-set 180cisco esp-des esp-md5-hmac crypto ipsec transform-set 190cisco esp-des esp-md5-hmaccrypto map ETH0 17 ipsec-isakmpset peer 172.17.150.2set security-association replay disable set transform-set 170cisco match address 170 crypto map ETH0 18 ipsec-isakmp set peer 192.168.1.3 set transform-set 180cisco match address 180 crypto map ETH0 19 ipsec-isakmp set peer 192.168.1.4 set transform-set 190cisco match address 190 !interface Ethernet0ip address 172.17.150.1 255.255.255.0no ip directed-broadcastno ip route-cacheno ip mroute-cacheno mop enabledcrypto map ETH0!interface Serial0ip address 172.16.160.1 255.255.255.0no ip directed-broadcastno ip mroute-cacheno fair-queue!ip classlessip route 172.18.170.0 255.255.255.0 172.17.150.2 ip route 172.19.180.0 255.255.255.0 172.17.150.3 ip route 172.20.190.0 255.255.255.0 172.17.150.4 no ip http server !access-list 170 permit ip 172.16.160.0 0.0.0.255 172.18.170.0 0.0.0.255 access-list 180 permit ip 172.16.160.0 0.0.0.255 172.19.180.0 0.0.0.255 access-list 190 permit ip 172.16.160.0 0.0.0.255 172.20.190.0 0.0.0.255 !dialer-list 1 protocol ip permitdialer-list 1 protocol ipx permit!line con 0transport input noneline aux 0line vty 0 4password wwloginendAdditional References
The following sections provide references related to IPsec Anti-Replay Window: Expanding and Disabling.
Related Documents
Cisco IOS commands
Cisco IOS Security Command Reference, Release 12.3T
IP security and encryption
"IP Security and Encryption" section of Cisco IOS Security Configuration Guide, Release 12.3
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features
•
•
•
•
For information about these commands, see the Cisco IOS Security Command Reference at
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html.
For information about all Cisco IOS commands, see the Command Lookup Tool at
http://tools.cisco.com/Support/CLILookup or the Master Command List.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
