[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question on inbound IPSEC policy check



Hi,

I had a doubt in the following scenario:

Office1Network-----SG1---------Internet------------SG2-------Office2Network.

SG1 has two outbound and two inbound policies of auto key management


outbound policies:
1. source as office1network, destination as office2network, protocol as TCP,
   source port and destination port 80. IPSEC attributes: ESP, DES.
   This policy is configured with higher priority.

2. source as office1network, destination as office2network, protocol as ANY,
   IPSEC attributes: AH, MD5.
   This policy is configured with low priority.

inbound policies:
1. source as office2network, destination as office1network, protocol as TCP,
   source port and destination port 80. IPSEC attributes: ESP, DES.
   This policy is configured with higher priority.

2. source as office2network, destination as office1network, protocol as ANY,
   IPSEC attributes: AH, MD5.
   This policy is configured with low priority.

SG2 has one outbound and one inbound policy of auto key management:

outbound policy:
1. source as office2network, destination as office1network, protocol as ANY,
   IPSEC attributes: AH, MD5.

inbound policy:
1. source as office1network, destination as office2network, protocol as ANY,
   IPSEC attributes: AH, MD5.

SG2 started IKE negotiation with its configured IPSEC policy.

After IKE negotiation , IPSEC SAs will be created both sides with IPSEC attributes : AH and MD5.

When SG2 sends the HTTP traffic with the using above SAs,
SG1 process the inbound IPSEC packets, after processing it finds the IPSEC policy with the packet selectors.


In this case SG1 has separate IPSEC policy is configured for HTTP traffic (IPSEC attributes ESP,DES) with higher priority.

My doubt was "Should we need to drop such inbound traffic in SG1 side???"

As per Ramana's mail I have gone through the RFC 2401 section 5.2.1.

Now my understanding is that we should not drop such traffic.

I hope the above description is clear.

Please let me know if my understanding is correct.

Thanks
Jyothi


At 05:14 PM 4/30/03 -0400, Stephen Kent wrote:
At 9:58 AM +0530 4/29/03, Jyothi wrote:
Hi,

Office1Network-----SG1---------Internet------------SG2-------Office2Network.

SG1 contains the 2 IPSEC policies:
    1. protocol TCP and port 80
    2. protocol ANY

SG2 contains the one IPSEC policy of protocol ANY.

Office2Network starts the IKE negotiation for protocol ANY, after the negotiation SG2 will send the HTTP traffic with SAs created.

In IKE negotiation, we are informing the allowable traffic as protocol ANY.
 In this case, HTTP is part of protocol ANY.

So, if SG1 rejects inbound traffic coming from SG2, then how SG2 knows??

Thanks
Jyothi

I don't understand all of the assumptions underlying your example. Note that SPD entries are directional, and thus must be separately defined for inbound and outbound traffic flows. So, please restate your example in those terms, and let's see if there is a problem. Ramana's message indicated why this might not be a problem, but until you state the full set of assumptions about the SPDs at each end, I don't know how to interpret the example.


Steve