The ipsec netmask command configures the IPSec mask filtering function.
The undo ipsec netmask command deletes the IPSec mask filtering function.
By default, IPSec mask filtering is not configured in the system.
ipsec netmask { source source-mask | [ source source-mask ] destination destination-mask }
undo ipsec netmask [ source | destination ]
| Parameter | Description | Value |
|---|---|---|
| source source-mask | Specifies the source IPv4 address mask of data flows. | The value is an integer in the range from 1 to 32. |
| destination destination-mask | Specifies the destination IPv4 address mask of data flows. | The value is an integer in the range from 1 to 32. |
Usage Scenario
In scenarios where branches connect to the headquarters, if a branch has a too large protection data flow range configured, traffic of other branches may be incorrectly diverted to the branch. In this case, you can run the ipsec netmask command to check and restrict the access of flow information negotiated by the IPSec tunnel. After this function is configured, the device checks the source and destination IP address masks of the peer device. If the mask values are greater than or equal to the configured values, subsequent negotiation continues. Otherwise, the IPSec SA negotiation fails.
Precautions
The device checks and restricts the access of flow information only when it adopts the IPSec policy template.
This function supports only IPv4.