Enabling ACL checking for de-encapsulated packets
About ACL checking for de-encapsulated packets
This feature compares the de-encapsulated incoming IPsec packets against the ACL in the IPsec policy and discards those that do not match any permit rule of the ACL. This feature can protect networks against attacks using forged IPsec packets.
This feature applies only to tunnel-mode IPsec.
Procedure
Enter system view.
system-view
Enable ACL checking for de-encapsulated packets.
ipsec decrypt-check enable
By default, ACL checking for de-encapsulated packets is enabled.