Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Documentation Search

    Enabling Inspection of IPsec VPN Traffic

    Internet Protocol Security (IPsec) virtual private networks (VPNs) use the Encapsulating Security Payload (ESP) protocol and the NULL encryption algorithm to ensure the authenticity, integrity, and confidentiality of IP packets. You can use the command-line interface (CLI) to enable decapsulation of IPsec ESP NULL traffic so that the IDP engine can inspect it. You can configure decapsulation for one or two layers.

    To enable and configure decapsulation:

    1. Log into the CLI as admin and enter su - to switch to root.
    2. Enter the following command to enable decapsulation:

      [root@defaulthost admin]# scio const -s s0 set sc_null_esp_decapsulation 1
      scio: setting sc_null_esp_decapsulation to 0x1

      By default, the IDP engine decapsulates one layer.

    3. Optional. Change the maximum decapsulation to two layers by entering the following commands:

      [root@defaulthost admin]# scio const -s s0 set sc_max_decapsulation 2
      scio: setting sc_max_decapsulation to 0x2

    Changes you make to kernel constants from the CLI do not persist across restarts. To make your change persistent:

    1. Open the /usr/idp/device/bin/user_funcs file in a text editor, such as vi.
    2. Add the constant below the line user_start_end(). For example:
      $SCIO const -s s0 set sc_null_esp_decapsulation 1
    3. Save the file.
    4. Restart the IDP engine:
      [root@defaulthost admin]# restart

      Restarting the IDP engine can take several moments.

    Published: 2011-02-08