No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring IPSec Check

(Optional) Configuring IPSec Check


IPSec check ensures that data flows are correctly encrypted. After IPSec check is enabled, the device checks packets received on the interface where an IPSec policy is applied. In tunnel mode, the IP header in the decrypted IPSec packet of the inbound SA may be not defined in an ACL, for example, the IP header of attack packets may be out of the range defined in the ACL. After IPSec check is configured, the device re-checks whether the IP header of the decrypted IPSec packet is in the range defined by an ACL. If the decrypted IPSec packet matches the permit action, the device continues to process the IPSec packet. If the decrypted IPSec packet does not match the permit action, the device discards the IPSec packet. This improves network security.

When IPSec is deployed using an IPSec policy template, IPSec check function checks only the data that matches the rule with the smallest number in the ACL referenced in the IPSec policy template. If an ACL rule matches a wide range of packets, for example, permit ip is configured, IPSec check function may discard packets even if no tunnel exists. In this situation, if the remote device needs to receive packets, disable the IPSec check function to allow the packets to pass through.


  1. Run system-view

    The system view is displayed.

  2. Run ipsec decrypt check

    Post-IPSec check is enabled.

    By default, the device does not check decrypted IPSec packets.

Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31797

Downloads: 45

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next