No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ipsec decrypt check

ipsec decrypt check

Function

The ipsec decrypt check command checks the decrypted packets based on the ACL.

The undo ipsec decrypt check command disables the check of the decrypted packets based on the ACL.

By default, decrypted packets are not checked based on the ACL.

Format

ipsec decrypt check

undo ipsec decrypt check

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

In tunnel mode, the IP header in the decrypted IPSec packet of the inbound SA may be not defined in the ACL, for example, the IP header of attack packets may be out of the range defined in the ACL. Therefore, the device re-checks whether the IP header of the decrypted IPSec packet is in the range defined by the ACL. If the decrypted IPSec packet matches the permit clause, the device continues to process the IPSec packet. If the decrypted IPSec packet does not match the permit clause, the device discards the IPSec packet. The ACL check function enables the device to discard the IPSec packets failing the ACL check, which improves network security.

When establishing an IPSec tunnel using a tunnel interface, if the ipsec decrypt check command is executed in the system view, packets decrypted by IPSec are check based on the ACL rule. Note the following points:
  • When the encapsulation mode is set to IPSec, the source and destination addresses in the ACL are both any, indicating that all data flows destined for the IPSec tunnel interface are protected.
  • When the encapsulation mode is set to GRE, the source and destination addresses in the ACL are the source and destination addresses of the IPSec tunnel interface respectively.

Example

# Check decrypted packets based on the ACL.

<Huawei> system-view
[Huawei] ipsec decrypt check
Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 52534

Downloads: 102

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next