254Step Command Remarks3. Apply an IPsec policy to theinterface.ipsec { policy | ipv6-policy }policy-nameBy default, no IPsec policy isapplied to the interface.An interface can reference onlyone IPsec policy.An IKE-mode IPsec policy can beapplied to multiple interfaces, anda manual IPsec policy can beapplied to only one interface.Enabling ACL checking for de-encapsulated packetsThis feature uses the ACL in the IPsec policy to match the IP packets that are de-encapsulated fromincoming IPsec packets in tunnel mode, and it discards the IP packets that fail to match the ACL to avoidattacks using forged packets.To enable ACL checking for de-encapsulated packets:Step Command Remarks1. Enter system view. system-view N/A2. Enable ACL checking forde-encapsulated packets. ipsec decrypt-check enable By default, this feature is enabled.Configuring the IPsec anti-replay functionThe IPsec anti-replay function protects networks against anti-replay attacks by using a sliding windowmechanism called anti-replay window. This function checks the sequence number of each received IPsecpacket against the current IPsec packet sequence number range of the sliding window. If the sequencenumber is not in the current sequence number range, the packet is considered a replayed packet and isdiscarded.IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets isnot required, and the de-encapsulation process consumes large amounts of resources and degradesperformance, resulting in DoS. IPsec anti-replay can check and discard replayed packets beforede-encapsulation.In some situations, service data packets are received in a different order than their original order. TheIPsec anti-replay function drops them as replayed packets, which impacts communications. If thishappens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required.IPsec anti-replay does not affect manually created IPsec SAs. According to the IPsec protocol, only IPsecSAs negotiated by IKE support anti-replay checking.