[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ICMP message from SG to Host to say "Need access to TCP or UDP Protocol or Port information"
I've just had a scan on Appendix D of the IPSEC architecture for help on
generating an ICMP from a Security Gateway to a 'protected host' :
Host1----SG1-----SG2----Host2
If Host1 sends packets to Host2 that are ipsec-blocked by SG1, what ICMP
Name/Code could SG1 generate?
What starting me thinking about this was the problem of Host1 generating ESP
or IPCOMP packets that obscured the inner TCP/UDP details needed by SG1 to
match on a policy, but I guess this is a generic problem of 'policy block'.
Does "Destination Network Unreachable for Type of Service" cover it.
Cheers, Steve.
Follow-Ups: