The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Extended Sequence Number (ESN) is an addition to the IPsec standard sequence number that is used to assist high-speed IPsec implementations. IPSec packets have 32 bit sequence numbers, and rekey is mandatory for IKE-keyed IPSec Security Association (SA) after a sequence number rollover. ESN attempts to reduce this high IPsec SA rekey rate by extending the sequence number to 64 bits, this would increase the time before mandatory rekeys.
ESN must be supported by both IPsec peers involved in establishing a secure connection. This feature will not function if either one of the peers does not support ESN
Anti-replay configuration is required, when using ESN. For more details see, IPsec Anti-Replay Window Expanding and Disabling.
ESN is only supported on Cisco Catalyst 8500 Series Edge Platforms and Cisco ASR 1000 Series ESP 100-X and ESP 200-X.
ESN feature is not supported with DES or 3DES algorithms.
The Extended Sequence Number (ESN) is an addition to the IPsec standard sequence number that is used to assist high-speed IPsec implementations. ESN uses a larger sequence number space than the standard sequence number and it allows the customer to transmit large volumes of data at a high speed without rekeying.
IPSec packets have 32 bit sequence numbers, and rekey is mandatory for IKE-keyed IPSec Security Association (SA) after a sequence number rollover. ESN attempts to reduce this high IPsec SA rekey rate by extending the sequence number to 64 bits, this would increase the time before mandatory rekeys and prevents sequence number rollover. As a result, it lowers the usage of system resources and prevents frequent rekeying on high speed IPsec connections or IPsec implementations that require long IPsec SA lifetime.
To configure IPsec Extended Sequence Number support, perform the following steps.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
crypto ipsec transform-set transform-set-name transform1 [transform2] Example: |
Configures Transform Sets for IPsec.
|
|
Step 4 |
esn Example: |
(Optional) Enables IPsec ESN. |
|
Related Topic |
Document Title |
|---|---|
|
Cisco IOS commands |
Cisco IOS Security Command Reference |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
IPsec Extended Sequence Number (ESN) |
Cisco IOS XE Gibraltar 16.11.1 release |
This feature was introduced for the following platforms:
|
Feedback