312 
 
Applying an IPsec policy to an interface 
You can apply an IPsec policy to an interface to protect certain data flows. To cancel the IPsec 
protection, remove the application of the IPsec policy. 
For each packet to be sent out of an interface applied with an IPsec policy, the interface looks 
through the IPsec policy entries in the IPsec policy in ascending order of sequence numbers. If the 
packet matches the ACL of an IPsec policy entry, the interface uses the IPsec policy entry to protect 
the packet. If no match is found, the interface sends the packet out without IPsec protection. 
When the interface receives an IPsec packet destined for the local device, it searches for the 
inbound IPsec SA according to the SPI in the IPsec packet header for de-encapsulation. If the 
de-encapsulated packet matches a permit rule of the ACL, the device processes the packet. If the 
de-encapsulated packet does not match any permit rule of the ACL, the device drops the packet. 
To apply an IPsec policy to an interface: 
 
Step Command Remarks 
1.  Enter system view. 
system-view 
N/A 
2.  Enter interface view. 
interface
 interface-type 
interface-number 
N/A 
3.  Apply an IPsec policy to the 
interface. 
ipsec apply 
{
 policy 
|
 
ipv6-policy 
} policy-name 
By default, no IPsec policy is 
applied to an interface. 
On an interface, you can apply a 
maximum of two IPsec policies: 
one IPv4 IPsec policy and one 
IPv6 IPsec policy. 
An IKE-based IPsec policy can be 
applied to multiple interfaces. As a 
best practice, apply an IKE-based 
IPsec policy to only one interface. 
A manual IPsec policy can be 
applied to only one interface. 
4.  Specify a traffic processing 
slot for the interface. 
service slot
 slot-number 
By default, no traffic processing 
slot is specified for an interface. 
Traffic on an interface is 
processed on the slot at which the 
traffic arrives. 
 
Enabling ACL checking for de-encapsulated packets 
This feature compares the de-encapsulated incoming IPsec packets against the ACL in the IPsec 
policy and discards those that do not match any permit rule of the ACL. This feature can protect 
networks against attacks using forged IPsec packets. 
This feature applies only to tunnel-mode IPsec. 
To enable ACL checking for de-encapsulated packets: 
 
Step Command Remarks 
1.  Enter system view. 
system-view 
N/A 
2.  Enable ACL checking for 
de-encapsulated packets. 
ipsec decrypt-check enable 
By default, this feature is enabled.