If we reject the traffic, how do we inform the peer??? I think there might be some inter-operability issues.
Thanks Jyothi
At 1:03 PM +0530 4/23/03, Jyothi wrote:Hi all,
I have a question regarding the inbound SPD policy checking.
Please consider the following scenario:
Office1Network-----SG1---------Internet------------SG2-------Office2Network.
Office1Network has HTTP as well as other services hosted. Office1 administartor wants to make sure that all HTTP traffic has to go with 3DES and SHA1
And all other traffic can go with AH MD5 and no encyrption is required for performance reasons.
In this case, if office2Network SG is mis-configured or they did not even configure HTTP policy.
office2Network administrator is configured only one policy for all traffic with AH MD5
Then SG1 accepts the HTTP traffic and process it.
After IPSEC processing, SHOULD WE ACCEPT THOSE PACKETS OR DROP THOSE PACKETS, because higher priority SPD policy is created for the HTTP traffic.
Any advice on this would be greatly appreciated
Thanks in advance, Jyothi
Yes, the exit check at SG1 should reject traffic that has either source or dest port = 80, consistent with the policy you articulated above.