246• Each ACL rule matches both the outbound traffic and the returned inbound traffic.• In the outbound direction, if a permit statement is matched, IPsec considers that the packet requiresprotection and continues to process it. If a deny statement is matched or no match is found, IPsecconsiders that the packet does not require protection and delivers it to the next function module.• In the inbound direction:{ Non-IPsec packets that match a permit statement are dropped.{ IPsec packets that match a permit statement and are destined for the device itself arede-encapsulated. By default, the device matches the de-encapsulated packets against the ACLagain and, if they match a permit statement, continues to process the packets. If ACL checkingfor de-encapsulated packets is disabled, the device directly processes the de-encapsulatedpackets without matching against the ACL.When defining ACL rules for IPsec, follow these guidelines:• Permit only data flows that need to be protected and use the any keyword with caution. With theany keyword specified in a permit statement, all outbound traffic matching the permit statement willbe protected by IPsec and all inbound IPsec packets matching the permit statement will be receivedand processed, but all inbound non-IPsec packets will be dropped. This will cause all the inboundtraffic that does not need IPsec protection to be dropped.• Avoid statement conflicts in the scope of IPsec policy entries. When creating a deny statement, becareful with its matching scope and matching order relative to permit statements. The policy entriesin an IPsec policy have different match priorities. ACL rule conflicts between them are prone tocause mistreatment of packets. For example, when configuring a permit statement for an IPsecpolicy entry to protect an outbound traffic flow, you must avoid the situation that the traffic flowmatches a deny statement in a higher priority IPsec policy entry. Otherwise, the packets will be sentout as normal packets. If they match a permit statement at the receiving end, they will be droppedby IPsec.Mirror image ACLsTo make sure SAs can be set up and the traffic protected by IPsec can be processed correctly betweentwo IPsec peers, create mirror image ACLs on the IPsec peers.If the ACL rules on IPsec peers do not form mirror images of each other, SAs can be set up only when bothof the following requirements are met:• The range specified by an ACL rule on one peer is covered by its counterpart ACL rule on the otherpeer.• The peer with the narrower rule initiates SA negotiation. If a wider ACL rule is used by the SAinitiator, the negotiation request might be rejected because the matching traffic is beyond the scopeof the responder.Configuring an IPsec transform setAn IPsec transform set, part of an IPsec policy, defines the security parameters for IPsec SA negotiation,including the security protocol, encryption algorithms, and authentication algorithms.Changes to an IPsec transform set affect only SAs negotiated after the changes. To apply the changes toexisting SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up by using theupdated parameters.To configure an IPsec transform set: