[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

How to reduce number of IPSEC security policies that need to be configured?

      I stumbled upon a problem and appreciate any feedback from the group.
      We are creating a Security Router with Firewall, IPSEC, IKE and
      L2TPoIPSEC AND transparent proxy for  EMAIL (SMTP) for Spam
      control and antiVirus.

When proxy is enabled, we observed that we needed to create multiple
IPSEC policies between two sites. With more number of sites, number of policies
that are required to be configured go up and that could be a big deployment problem.

Let me explain the two site scenario:

HO Network-----SecurityGateway(HO)-----Internet-------SecurityGateway(BO)----BO Network.

HO Network: HO WAN side IP address: BO WAN Side IP address: BO Network:

Typically one security policy of type: to ----> Apply Security with 3DES+SHA1 on HO SG
would be good enough for securing the traffic from HO to BO.

When SMTP Spam control proxy is enabled, the connection from the client is terminated at
the proxy and proxy creates new connection. New connection's source IP is now
This does not fall on above Security Policy. Due to this, one more Security policy needs to
be created i.e to --------> Apply Security with 3DES+SHA1 on HO SG.

Similarly, for BO Security Gateway Proxy to work, we need to create one more Security policy
on HO SG i.e. to ----> Apply Security with 3DES+SHA1.

Two more extra policies have to be created apart from Network to Network Security policy.
If we have more number of WAN IP addresses and more branch offices, the number of policies
that are to be created will go up dramatically.

As a box vendor, we would like to reduce the number of policies that need to be created between
two sites by the end users. Ideally, we would like one security policy for each peer site.

I could think of two proposals:
Proposal 1:
IKE/IPSEC allow security policy with multiple IP address and Port ranges. IKE allows
multiple ID payloads OR a single ID payload with multiple IP address ranges and Port ranges.
Proposal 2:
Negotiation of opaque ID in quick mode. Either explicit selectors can be negotiated OR
opaque ID can be negotiated. IN case of opaque ID negotiation, both peers are assumed to
relate set of selectors to the opaque ID. In above example, all three security policies have
one opaque ID shared between them. Whenever there is any packet matching any of these
three security policies, opaque ID is sent as part of QM ID payload. Security bundles, that are
created due to this, will be applicable for all three security policies. On the receiving side, once
the packet is decrypted, it should be allowed to pass, if it matches with any of the three inbound
security policies.

Any other solutions which does not require modifications to standards?


The Views Presented in this mail are completely mine. The company is not responsible for what so ever.

Ravi Kumar CH
Rendezvous On Chip (I) Pvt Ltd
Hyderabad, INDIA