ipsec decrypt check

In tunnel mode, the IP header in the decrypted IPSec packet of the inbound SA may be not defined in an ACL, for example, the IP header of attack packets may be out of the range defined in the ACL. Therefore, the device checks whether the IP header of the decrypted IPSec packet is in the range defined by the ACL. If the decrypted IPSec packet matches the permit clause, the device continues to process the IPSec packet. If the decrypted IPSec packet does not match the permit clause, the device discards the IPSec packet. The device discards the IPSec packets failing the ACL check to improve network security.

When establishing an IPSec tunnel using a tunnel interface, if the ipsec decrypt check command is executed in the system view, packets decrypted by IPSec are check based on the ACL rule. Note the following points:

• When the encapsulation mode is set to IPSec, the source and destination addresses in the ACL are both any, indicating that all data flows destined for the IPSec tunnel interface are protected.
• When the encapsulation mode is set to GRE, the source and destination addresses in the ACL are the source and destination addresses of the IPSec tunnel interface respectively.