[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question on inbound IPSEC policy check
If we reject the traffic, how do we inform the peer???
I think there might be some inter-operability issues.
At 02:13 PM 4/25/03 -0400, Stephen Kent wrote:
At 1:03 PM +0530 4/23/03, Jyothi wrote:
I have a question regarding the inbound SPD policy checking.
Please consider the following scenario:
Office1Network has HTTP as well as other services hosted.
Office1 administartor wants to make sure that all HTTP traffic has to go with
3DES and SHA1
And all other traffic can go with AH MD5 and no encyrption is required for
In this case, if office2Network SG is mis-configured or they did not even
configure HTTP policy.
office2Network administrator is configured only one policy for all
traffic with AH MD5
Then SG1 accepts the HTTP traffic and process it.
After IPSEC processing, SHOULD WE ACCEPT THOSE PACKETS OR DROP THOSE
PACKETS, because higher priority SPD policy is created for the HTTP traffic.
Any advice on this would be greatly appreciated
Thanks in advance,
Yes, the exit check at SG1 should reject traffic that has either source
or dest port = 80, consistent with the policy you articulated above.