Enabling ACL checking for de-encapsulated packets
This feature compares the de-encapsulated incoming IPsec packets against the ACL in the IPsec policy and discards those that do not match any permit rule of the ACL. This feature can protect networks against attacks using forged IPsec packets.
This feature applies only to tunnel-mode IPsec.
To enable ACL checking for de-encapsulated packets:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enable ACL checking for de-encapsulated packets. | ipsec decrypt-check enable | By default, this feature is enabled. |