Enabling ACL checking for de-encapsulated packets

This feature compares the de-encapsulated incoming IPsec packets against the ACL in the IPsec policy and discards those that do not match any permit rule of the ACL. This feature can protect networks against attacks using forged IPsec packets.

This feature applies only to tunnel-mode IPsec.

To enable ACL checking for de-encapsulated packets:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable ACL checking for de-encapsulated packets.

ipsec decrypt-check enable

By default, this feature is enabled.