(Optional) Configuring IPSec Check
Context
To ensure security, do not disable IPSec check. After IPSec check is disabled, the system allows unencrypted packets to pass through, failing to prevent internal attackers.
Pre-IPSec check
The device checks plaintext packets received on an interface. If the packets that should be encrypted have not been encrypted, the device discards the packets.
Post-IPSec check
The device checks decrypted packets. If the packets that should not be encrypted have been encrypted, the device discards the packets.
In tunnel mode, the IP header in the decrypted IPSec packet of the inbound SA may be not defined in an ACL, for example, the IP header of attack packets may be out of the range defined in the ACL. After IPSec check is configured, the device re-checks whether the IP header of the decrypted IPSec packet is in the range defined by an ACL. If the decrypted IPSec packet matches the permit action, the device continues to process the IPSec packet. If the decrypted IPSec packet does not match the permit action, the device discards the IPSec packet. This improves network security.
In a scenario where the same IPSec policy is applied to multiple interfaces (that is, the data flows protected by IPSec are the same) and post-IPSec check is enabled, if the IPSec request and reply packets are not forwarded based on the sticky load balancing rule, the post-IPSec check function discards the reply packet. Packet discarding compromises the IPSec service. Therefore, ensure that the IPSec service complies with the sticky load balancing rule in this scenario.
Procedure
- Run system-view
The system view is displayed.
- Run ipsec pre-check enable
Pre-IPSec check is enabled.
By default, pre-IPSec check is enabled. - Run ipsec decrypt check
Post-IPSec check is enabled.
By default, the device checks decrypted IPSec packets.