Enabling ACL checking for de-encapsulated packets

About ACL checking for de-encapsulated packets

This feature compares the de-encapsulated incoming IPsec packets against the ACL in the IPsec policy and discards those that do not match any permit rule of the ACL. This feature can protect networks against attacks using forged IPsec packets.

This feature applies only to tunnel-mode IPsec.

Procedure

  1. Enter system view.

    system-view

  2. Enable ACL checking for de-encapsulated packets.

    ipsec decrypt-check enable

    By default, ACL checking for de-encapsulated packets is enabled.