ACLs Applied to an IPsec Policy

An IPsec policy can protect different data flows. In practice, you need to define data flows through an ACL and quote the ACL in a security policy. Therefore, data flows are protected.

According to ACL rules, IPsec identifies which packets need or do not need security protection. Data flows matching advanced ACLs (permit) are protected and sent after being processed by IPsec. Data flows that do not match advanced ACLs are transmitted directly. Data flows that need to be encrypted but actually not are considered as attack data flows and discarded.

Pay attention to the following items:

An inexistent ACL or an ACL without any rule cannot be applied to IPsec policy.
IPsec policy supports only advanced ACL (including numbered and named ACL).
Rules in an advanced ACL can match data flows according to the source or destination IP address, source or destination port, and protocol number only.
The ACL applied to an IPsec policy does not support deny rule.
The ACL applied to an IPsec policy cannot contain rules quoting address sets/port sets.
The source and destination port numbers in the ACL applied to an IPsec policy can be specified by the eq parameter, rather than the lt, gt, and range parameters.
An IPsec policy can only be applied one ACL. The original configuration must be deleted when a new ACL is applied.
ACLs configured in the same IPsec policy group cannot include the same rules.

**Table 1** Matching Principles of ACLs Applied to an IPsec Policy
ACL Matching Result	IPsec Processing Result
The packet matches the permit rule	The packet is processed by IPsec, and then be forwarded.
The packet matches the deny rule	The packet is forwarded directly.
The relative ACL exists and there are rules in the ACL, but the packet does not match any rule	The packet is forwarded directly.
The relative ACL does not exist	IPsec does not support these kinds of ACLs
The relative ACL exists but there is no rule in the ACL	IPsec does not support these kinds of ACLs