[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
How to reduce number of IPSEC security policies that need to be configured?
I stumbled upon a problem and appreciate any feedback from the group.
We are creating a Security Router with Firewall, IPSEC, IKE and
L2TPoIPSEC AND transparent proxy for EMAIL (SMTP) for Spam
control and antiVirus.
When proxy is enabled, we observed that we needed to create multiple
IPSEC policies between two sites. With more number of sites, number
that are required to be configured go up and that could be a big
Let me explain the two site scenario:
HO Network: 10.1.5.0/24
HO WAN side IP address: 126.96.36.199
BO WAN Side IP address: 188.8.131.52
BO Network: 10.1.6.0/24
Typically one security policy of type:
10.1.5.0/24 to 10.1.6.0/24 ----> Apply Security with
3DES+SHA1 on HO SG
would be good enough for securing the traffic from HO to BO.
When SMTP Spam control proxy is enabled, the connection from the
client is terminated at
the proxy and proxy creates new connection. New connection's source
IP is now 184.108.40.206.
This does not fall on above Security Policy. Due to this, one more
Security policy needs to
be created i.e
220.127.116.11 to 10.1.6.0/24 --------> Apply Security with 3DES+SHA1
on HO SG.
Similarly, for BO Security Gateway Proxy to work, we need to create
one more Security policy
on HO SG i.e. 10.1.5.0/24 to 18.104.22.168 ----> Apply Security with
Two more extra policies have to be created apart from Network to
Network Security policy.
If we have more number of WAN IP addresses and more branch offices,
the number of policies
that are to be created will go up dramatically.
As a box vendor, we would like to reduce the number of policies
that need to be created between
two sites by the end users. Ideally, we would like one security
policy for each peer site.
I could think of two proposals:
IKE/IPSEC allow security policy with multiple IP address and
Port ranges. IKE allows
multiple ID payloads OR a single ID payload with multiple IP
address ranges and Port ranges.
Negotiation of opaque ID in quick mode. Either explicit
selectors can be negotiated OR
opaque ID can be negotiated. IN case of opaque ID negotiation,
both peers are assumed to
relate set of selectors to the opaque ID. In above example, all
three security policies have
one opaque ID shared between them. Whenever there is any packet
matching any of these
three security policies, opaque ID is sent as part of QM ID
payload. Security bundles, that are
created due to this, will be applicable for all three security
policies. On the receiving side, once
the packet is decrypted, it should be allowed to pass, if it
matches with any of the three inbound
Any other solutions which does not require modifications to standards?
The Views Presented in this mail are completely mine. The company is not
responsible for what so ever.
Ravi Kumar CH
Rendezvous On Chip (I) Pvt Ltd
ROC HOME PAGE: