IPsec Anti-Replay Window Expanding and Disabling

Cisco IP security (IPsec) authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. The decryptor keeps track of which packets it has seen on the basis of these numbers. Currently, the default window size is 64 packets. Generally, this number (window size) is sufficient, but there are times when you may want to expand this window size. The IPsec Anti-Replay Window: Expanding and Disabling feature allows you to expand the window size, allowing the decryptor to keep track of more than 64 packets.


Note

Security threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption (NGE) white paper.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for IPsec Anti-Replay Window Expanding and Disabling

  • Before configuring this feature, you should have already created a crypto profile.

Information About IPsec Anti-Replay Window Expanding and Disabling

IPsec Anti-Replay Window

Cisco IPsec authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. (Security association [SA] anti-replay is a security service in which the receiver can reject old or duplicate packets to protect itself against replay attacks.) The decryptor checks off the sequence numbers that it has seen before. The encryptor assigns sequence numbers in an increasing order. The decryptor remembers the value X of the highest sequence number that it has already seen. N is the window size, and the decryptor also remembers whether it has seen packets having sequence numbers from X-N+1 through X. Any packet with the sequence number X-N is discarded. Currently, N is set at 64, so only 64 packets can be tracked by the decryptor.

At times, however, the 64-packet window size is not sufficient. For example, Cisco quality of service (QoS) gives priority to high-priority packets, which could cause some low-priority packets to be discarded when they arrive outside of the 64 packet replay window at the decryptor. The IPsec Anti-Replay Window: Expanding and Disabling feature allows you to expand the window size, allowing the decryptor to keep track of more than 64 packets.

Increasing the anti-replay window size has no impact on throughput and security. The impact on memory is insignificant because only an extra 128 bytes per incoming IPsec SA is needed to store the sequence number on the decryptor. It is recommended that you use the full 1024 window size to eliminate any future anti-replay problems.

How to Configure IPsec Anti-Replay Window Expanding and Disabling

Configuring IPsec Anti-Replay Window Expanding and Disabling Globally

To configure IPsec Anti-Replay Window: Expanding and Disabling globally (so that it affects all SAs that are created), perform the following steps.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    crypto ipsec security-association replay window-size [N]

    4.    crypto ipsec security-association replay disable


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example: 
    Router> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example: 
    Router# configure terminal
     

    Enters global configuration mode.

     
    Step 3 crypto ipsec security-association replay window-size [N]


    Example: 
    Router (config)# crypto ipsec security-association replay window-size 256
     

    Sets the size of the SA replay window globally.

    Note   

    Configure this command or the crypto ipsec security-association replay disable command. The two commands are not used at the same time.

     
    Step 4 crypto ipsec security-association replay disable


    Example: 
    Router (config)# crypto ipsec security-association replay disable
     

    Disables checking globally.

    Note   

    Configure this command or the crypto ipsec security-association replay window-size command. The two commands are not used at the same time.

     

    Configuring IPsec Anti-Replay Window Expanding and Disablingon a Crypto Map

    To configure IPsec Anti-Replay Window: Expanding and Disabling on a crypto map so that it affects those SAs that have been created using a specific crypto map or profile, perform the following steps.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    crypto map map-name seq-num [ipsec-isakmp]

      4.    set security-association replay window-size [ N ]

      5.    set security-association replay disable


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Router> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.

       
      Step 2 configure terminal


      Example:
      Router# configure terminal
       

      Enters global configuration mode.

       
      Step 3 crypto map map-name seq-num [ipsec-isakmp]


      Example:
      Router (config)# crypto map ETHO 17 ipsec-isakmp
       

      Enters crypto map configuration mode and creates a crypto profile that provides a template for configuration of dynamically created crypto maps.

       
      Step 4 set security-association replay window-size [ N ]


      Example:
      Router (crypto-map)# set security-association replay window-size 128
       

      Controls the SAs that are created using the policy specified by a particular crypto map, dynamic crypto map, or cyrpto profile.

      Note   

      Configure this command or the set security-association replay disable command. The two commands are not used at the same time.

       
      Step 5 set security-association replay disable


      Example:
      Router (crypto-map)# set security-association replay disable
       

      Disables replay checking for a particular crypto map, dynamic crypto map, or crypto profile.

      Note   

      Configure this command or the set security-association replay window-size command. The two commands are not used at the same time.

       

      Troubleshooting Tips

      • If your replay window size has not been set to a number that is high enough for the number of packets received, you will receive a system message such as the following:

      *Nov 17 19:27:32.279: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=1

      The above message is generated when a received packet is judged to be outside the anti-replay window.

      Configuration Examples for IPsec Anti-Replay Window Expanding and Disabling

      Global Expanding and Disabling of an Anti-Replay Window Example

      The following example shows that the anti-replay window size has been set globally to 1024: 

      version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN-Gateway1
!
boot-start-marker
boot-end-marker
!
!
clock timezone EST 0
no aaa new-model
ip subnet-zero
!
!
ip audit po max-events 100
no ftp-server write-enable
!
!
crypto isakmp policy 10
  encryption aes
  authentication pre-share
  group 14
crypto isakmp key cisco123 address 192.165.201.2 
crypto ipsec security-association replay window-size 1024 
crypto ipsec transform-set basic esp-aes esp-sha-hmac 

!
!
interface Ethernet0/0
 ip address 192.168.1.1 255.255.255.0
!

!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 172.16.2.0 0.0.0.255 access-list 101 remark Crypto ACL 
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

      Expanding and Disabling of an Anti-Replay Window for Crypto Maps or Crypto Profiles Example

      The following example shows the expanding and disabling of an anti-replay windoe for a Particular Crypto Map, Dynamic Crypto Map, or Crypto Profile. In this example, anti-replay checking is disabled for IPsec connections to 172.17.150.2 but enabled (and the default window size is 64) for IPsec connections to 172.17.150.3 and 172.17.150.4: 

      service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname networkserver1
!
enable secret 5 $1$KxKv$cbqKsZtQTLJLGPN.tErFZ1 enable password ww !
ip subnet-zero
!
cns event-service server
crypto isakmp policy 1
  encr aes
  authentication pre-share
  group 14
crypto isakmp key cisco170 address 172.17.150.2 crypto isakmp key cisco180 
address 172.17.150.3 crypto isakmp key cisco190 address 172.17.150.4
crypto ipsec transform-set 170cisco esp-aes esp-sha-hmac crypto ipsec 
transform-set 180cisco esp-aes esp-sha-hmac crypto ipsec transform-set 
190cisco esp-aes esp-sha-hmac
crypto map ETH0 17 ipsec-isakmp
  set peer 172.17.150.2
  set security-association replay disable 
  set transform-set 170cisco 
  match address 170 
crypto map ETH0 18 ipsec-isakmp  
  set peer 192.168.1.3 
  set transform-set 180cisco 
  match address 180 
crypto map ETH0 19 ipsec-isakmp 
  set peer 192.168.1.4 
  set transform-set 190cisco 
  match address 190 !
interface Ethernet0
 ip address 172.17.150.1 255.255.255.0
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
 no mop enabled
 crypto map ETH0
!
interface Serial0
 ip address 172.16.160.1 255.255.255.0
 no ip directed-broadcast
 no ip mroute-cache
 no fair-queue
!
ip classless
ip route 172.18.170.0 255.255.255.0 172.17.150.2 ip route 172.19.180.0 255.255.255.0 172.17.150.3 ip route 172.20.190.0 255.255.255.0 172.17.150.4 no ip http server !
access-list 170 permit ip 172.16.160.0 0.0.0.255 172.18.170.0 0.0.0.255 access-list 180 permit ip 172.16.160.0 0.0.0.255 172.19.180.0 0.0.0.255 access-list 190 permit ip 172.16.160.0 0.0.0.255 172.20.190.0 0.0.0.255 !
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
line con 0
transport input none
line aux 0
line vty 0 4
password ww
login
end

      Additional References

      Related Documents

      Related Topic

      Document Title

      Cisco IOS commands

      Cisco IOS Security Command Reference

      IP security and encryption

      Configuring Security for VPNs with IPsec

      MIBs

      MIBs

      MIBs Link

      None.

      To locate and download MIBs for selected platforms, Cisco IOS software releases, and feature sets, use Cisco MIB Locator found at the following URL:

      http:/​/​www.cisco.com/​go/​mibs

      RFCs

      RFCs

      Title

      None.

      --

      Technical Assistance

      Description

      Link

      The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

      http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

      Feature Information for IPsec Anti-Replay Window Expanding and Disabling

      The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

      Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.
      Table 1 Feature Information for IPsec Anti-Replay Window: Expanding and Disabling

      Feature Name

      Releases

      Feature Information

      IPsec Anti-Replay Window: Expanding and Disabling

      12.3(14)T 12.2(33)SRA 12.2(33)SRA

      Cisco IP security (IPsec) authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. The decryptor keeps track of which packets it has seen on the basis of these numbers. Currently, the default window size is 64 packets. Generally, this number (window size) is sufficient, but there are times when you may want to expand this window size. The IPsec Anti-Replay Window: Expanding and Disabling feature allows you to expand the window size, allowing the decryptor to keep track of more than 64 packets.

      This feature was introduced in Cisco IOS Release 12.3(14)T.

      This feature was integrated into Cisco IOS Release 12.2(33)SRA.

      This feature was integrated into Cisco IOS Release 12.2(18)SXF6.

      The following commands were introduced or modified: crypto ipsec security-association replay disable, crypto ipsec security-association replay window-size, set security-association replay disable, set security-association replay window-size .