Table of Contents
Advertisement
Usage guidelines
On an interface, you can apply a maximum of two IPsec policies: one IPv4 IPsec policy and one IPv6
IPsec policy.
An IKE-based IPsec policy that is bound to a source interface can be applied to multiple interfaces.
As a best practice, apply such an IPsec policy to only one interface. A manual IPsec policy can be
applied to only one interface.
Examples
# Apply IPsec policy policy1 to VLAN-interface 100.
<Sysname> system-view
[
]
Sysname
[
Sysname–Vlan-interface100
Related commands
display ipsec { ipv6-policy | policy }
ipsec { ipv6-policy | policy }
ipsec decrypt-check enable
Use
ipsec decrypt-check enable
packets.
Use
undo ipsec decrypt-check
Syntax
ipsec decrypt-check enable
undo ipsec decrypt-check enable
Default
ACL checking for de-encapsulated IPsec packets is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
In tunnel mode, the IP packet encapsulated in an inbound IPsec packet might not be under the
protection of the ACL specified in the IPsec policy. After being de-encapsulated, such packets bring
threats to the network security. In this scenario, you can enable ACL checking for de-encapsulated
IPsec packets. All packets failing the checking are discarded, improving the network security.
Examples
# Enable ACL checking for de-encapsulated IPsec packets.
<Sysname> system-view
[
]
Sysname
ipsec df-bit
Use
ipsec df-bit
Use
undo ipsec df-bit
interface vlan-interface 100
]
ipsec apply policy policy1
ipsec decrypt-check enable
to configure the DF bit for the outer IP header of IPsec packets on an interface.
to restore the default.
to enable ACL checking for de-encapsulated IPsec
to disable ACL checking for de-encapsulated IPsec packets.
34
Advertisement
Chapters
Table of Contents
