- Related Topics
- scio const
- Inspection of IPsec VPN Traffic Overview
Enabling Inspection of IPsec VPN Traffic
Internet Protocol Security (IPsec) virtual private networks (VPNs) use the Encapsulating Security Payload (ESP) protocol and the NULL encryption algorithm to ensure the authenticity, integrity, and confidentiality of IP packets. You can use the command-line interface (CLI) to enable decapsulation of IPsec ESP NULL traffic so that the IDP engine can inspect it. You can configure decapsulation for one or two layers.
To enable and configure decapsulation:
- Log into the CLI as admin and enter su - to switch to root.
- Enter the following command to enable decapsulation:
[root@defaulthost admin]# scio const -s s0 set sc_null_esp_decapsulation 1scio: setting sc_null_esp_decapsulation to 0x1
By default, the IDP engine decapsulates one layer.
- Optional. Change the maximum decapsulation to two
layers by entering the following commands:
[root@defaulthost admin]# scio const -s s0 set sc_max_decapsulation 2scio: setting sc_max_decapsulation to 0x2
Changes you make to kernel constants from the CLI do not persist across restarts. To make your change persistent:
- Open the
/usr/idp/device/bin/user_funcsfile in a text editor, such as vi. - Add the constant below the line user_start_end().
For example:
user_start_end() { $SCIO const -s s0 set sc_null_esp_decapsulation 1 } - Save the file.
- Restart the IDP engine:
[root@defaulthost admin]# idp.sh restart
Restarting the IDP engine can take several moments.
