(Optional) Configuring IPSec Check
Context
To ensure security, do not disable IPSec check. After IPSec check is disabled, the system allows unencrypted packets to pass through, failing to prevent internal attackers.
Pre-IPSec check
The device checks plaintext packets received on an interface. If the packets that should be encrypted have not been encrypted, the device discards the packets.
Post-IPSec check
The device checks decrypted packets. If the packets that should not be encrypted have been encrypted, the device discards the packets.
After an IPSec profile is applied to a virtual tunnel interface, the device generates an ACL based on the encapsulation mode of the tunnel interface. In tunnel mode, the IP header in the decapsulated IPSec packet of the inbound SA may be not defined in an ACL. For example, the IP header of attack packets may be out of the range defined in the ACL. After post-IPSec check is configured, the device re-checks whether the IP header of the decapsulated IPSec packet is in the range defined in an ACL. If the IP header matches the permit rule, the device performs subsequent operations on the packet. Otherwise, the device discards the IPSec packet. The network security is therefore improved.
The generated ACL varies depending on the encapsulation mode of the virtual tunnel interface:- When the encapsulation mode is set to IPSec, the source and destination addresses in the ACL are both any, indicating that all data flows destined for the tunnel interface are protected.
- When the encapsulation mode is set to GRE, the source and destination addresses in the ACL are the source and destination addresses of the tunnel interface respectively.
Procedure
- Run system-view
The system view is displayed.
- Run ipsec pre-check enable
Pre-IPSec check is enabled.
By default, pre-IPSec check is enabled. - Run ipsec decrypt check
Post-IPSec check is enabled.
By default, the device checks decrypted IPSec packets.