[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 2401bis Issue #67 -- IPsec management traffic
In your previous mail you wrote:
There is one slight catch, however. There is no SPD entry action to
cause delivery of a received message to IKE. So, while your example
is appropriate for outbound IKE traffic, I don't think we ever
defined a way to express appropriate internal forwarding of inbound
IKE traffic. Any suggestions?
=> I agree but I don't believe there is a solution inside IPsec itself:
to enforce the delivery of packets maching a filter to a process/user/...
is a "personal firewall" function only.
[Throwing in a few pennies until Steve returns...]
Are you speaking of hosts here? While it might work there,
a "personal firewall" seems odd applied to SGs. A general
solution would be to add another action in the SPD, e.g.,
"direct to security management".