Enabling ACL checking of de-encapsulated IPsec packets
This feature is supported only in FIPS mode.
In tunnel mode, the IP packet that was encapsulated in an inbound IPsec packet may not be an object that is specified by an ACL to be protected. For example, a forged packet is not an object to be protected. If you enable ACL checking of de-encapsulated IPsec packets, all packets failing the checking will be discarded, improving the network security.
To enable ACL checking of de-encapsulated IPsec packets:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enable ACL checking of de-encapsulated IPsec packets. | ipsec decrypt check | Optional. Enabled by default. |