ipsec decrypt-check enable
Use ipsec decrypt-check enable to enable ACL checking for de-encapsulated IPsec packets.
Use undo ipsec decrypt-check to disable ACL checking for de-encapsulated IPsec packets.
Syntax
ipsec decrypt-check enable
undo ipsec decrypt-check enable
Default
ACL checking for de-encapsulated IPsec packets is enabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
In tunnel mode, the IP packet encapsulated in an inbound IPsec packet might not be under the protection of the ACL specified in the IPsec policy. After being de-encapsulated, such packets bring threats to the network security. In this scenario, you can enable ACL checking for de-encapsulated IPsec packets. All packets failing the checking are discarded, improving the network security.
Examples
# Enable ACL checking for de-encapsulated IPsec packets.
<Sysname> system-view [Sysname] ipsec decrypt-check enable