< Home

(Optional) Configuring IPSec Mask Filtering

Context

In scenarios where branches connect to the headquarters, if a branch has a too large protection data flow range configured, traffic of other branches may be incorrectly diverted to the branch. In this case, you can configure IPSec mask filtering to check and restrict access of flow information negotiated by the IPSec tunnel. After this function is configured, the device checks the source and destination IP address masks of the peer device. If the mask values are greater than or equal to the configured values, subsequent negotiation continues. Otherwise, the IPSec SA negotiation fails.

The device checks and restricts the access of flow information only when it adopts the IPSec policy template.

This function supports only IPv4.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ipsec netmask { source source-mask | [ source source-mask ] destination destination-mask }

    IPSec mask filtering is configured.

    By default, IPSec mask filtering is not configured in the system.

Parent Topic: Using an ACL to Establish an IPSec Tunnel-CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >