[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question on inbound IPSEC policy check



SG1 contains the 2 IPSEC policies:
    1. protocol TCP and port 80
    2. protocol ANY

SG2 contains the one IPSEC policy of protocol ANY.

Office2Network starts the IKE negotiation for protocol ANY, after the negotiation SG2 will send the HTTP traffic with SAs created.

In IKE negotiation, we are informing the allowable traffic as protocol ANY.
 In this case, HTTP is part of protocol ANY.

So, if SG1 rejects inbound traffic coming from SG2, then how SG2 knows??


At 09:36 AM 4/28/03 -0400, Stephen Kent wrote:
At 11:22 AM +0530 4/28/03, Jyothi wrote:

If we reject the traffic, how do we inform the peer???
I think there might be some inter-operability issues.


If the SAs are established using IKE, then the payloads passed during the IKE negotiations will inform the peer of the range of allowable traffic, so it will not be a surprise.