322
Usage guidelines
In tunnel mode, the IP packet encapsulated in an inbound IPsec packet might not be under the protection
of the ACL specified in the IPsec policy. After being de-encapsulated, such packets bring threats to the
network security. In this scenario, you can enable ACL checking for de-encapsulated IPsec packets. All
packets failing the checking are discarded, improving the network security.
Examples
# Enable ACL checking for de-encapsulated IPsec packets.
<Sysname> system-view
[Sysname] ipsec decrypt-check enable
ipsec logging packet enable
Use ipsec logging packet enable to enable logging for IPsec packets.
Use undo ipsec logging packet enable to disable logging for IPsec packets.
Syntax
ipsec logging packet enable
undo ipsec logging packet enable
Default
Logging for IPsec packets is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
After logging for IPsec packets is enabled, the device outputs a log when an IPsec packet is discarded.
IPsec packets might be discarded due to lack of inbound SA, AH/ESP authentication failure, or ESP
encryption failure. A log contains the source and destination IP addresses, SPI, and sequence number of
the packet, and the reason it was discarded.
Examples
# Enable logging for IPsec packets.
<Sysname> system-view
[Sysname] ipsec logging packet enable
ipsec df-bit
Use ipsec df-bit to set the DF bit for outer IP headers of encapsulated IPsec packets on an interface.
Use undo ipsec df-bit to restore the default.
Syntax
ipsec df-bit { clear | copy | set }
undo ipsec df-bit
To Next Page
Loading...
Need help?
General
