I have many spokes-hub IPSec+DSVPN network. I have noticed that if a simple misconfiguration happens resulting that at one end (router) there is no ipsec profile command on the tunnel interface (regaldless if I refer to spoke-hub or spoke-spoke connection) there is still possible to comunicate. There are just no IPSec SAs obviously, but NHRP delivers with routes and traffic flows so connectivity is a fact.
My question is : Is there a way to ensure that if there is no ipsec profile command at the tunnel int of one end and there is ipsec profile at the other end's tunnel (of the hub for example or the other spoke) the latter will somehow block the unencrypted traffic totaly ?
I tried ipsec decrypt check, but it seems to be a command for other scenarios.
It's a bit of an issue in terms of security and i failed in figuring out the solution so far.
Any advice welcome :)
Or maiby its a soft bug or something
The boxes are AR161, AR1220E - V200R009 with SPH012
Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
Politically sensitive content
Content concerning pornography, gambling, and drug abuse
Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."
Are you sure to block this user? Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.