[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question on inbound IPSEC policy check



Hi,

If we reject the traffic, how do we inform the peer???
I think there might be some inter-operability issues.

Thanks
Jyothi

At 02:13 PM 4/25/03 -0400, Stephen Kent wrote:
At 1:03 PM +0530 4/23/03, Jyothi wrote:
Hi all,

I have a question regarding the inbound SPD policy checking.

Please consider the following scenario:

Office1Network-----SG1---------Internet------------SG2-------Office2Network.

Office1Network has HTTP as well as other services hosted.
Office1 administartor wants to make sure that all HTTP traffic has to go with
3DES and SHA1

And all other traffic can go with AH MD5 and no encyrption is required for
performance reasons.

In this case, if office2Network SG is mis-configured or they did not even
configure HTTP policy.



office2Network administrator is configured only one policy for all traffic with AH MD5


Then SG1 accepts the HTTP traffic and process it.
After IPSEC processing, SHOULD WE ACCEPT THOSE PACKETS OR DROP THOSE PACKETS, because higher priority SPD policy is created for the HTTP traffic.


Any advice on this would be greatly appreciated


Thanks in advance, Jyothi

Yes, the exit check at SG1 should reject traffic that has either source or dest port = 80, consistent with the policy you articulated above.