[x]

IPsec commands > ipsec decrypt-check enable

 

 Next

ipsec decrypt-check enable

Use ipsec decrypt-check enable to enable ACL checking for de-encapsulated IPsec packets.

Use undo ipsec decrypt-check to disable ACL checking for de-encapsulated IPsec packets.

Syntax

ipsec decrypt-check enable

undo ipsec decrypt-check enable

Default

ACL checking for de-encapsulated IPsec packets is enabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

In tunnel mode, the IP packet encapsulated in an inbound IPsec packet might not be under the protection of the ACL specified in the IPsec policy. After being de-encapsulated, such packets bring threats to the network security. In this scenario, you can enable ACL checking for de-encapsulated IPsec packets. All packets failing the checking are discarded, improving the network security.

Examples

# Enable ACL checking for de-encapsulated IPsec packets.

<Sysname> system-view
[Sysname] ipsec decrypt-check enable

prev

 

up

 next

ipsec apply 

home

 ipsec df-bit

© Copyright 2018 Hewlett Packard Enterprise Development LP