[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question on inbound IPSEC policy check
Jyothi,
Since, the SPD policies are ordered list and priority of the SPD
policies should be followed to check the validity of the decrypted packets w.r.t
security policy.
SG1 will drop the unencrypted packets coming from SG2
Regards,
Ravi
Jyothi wrote:
>Hi all,
>
>I have a question regarding the inbound SPD policy checking.
>
>Please consider the following scenario:
>
>Office1Network-----SG1---------Internet------------SG2-------Office2Network.
>
>Office1Network has HTTP as well as other services hosted.
>Office1 administartor wants to make sure that all HTTP traffic has to go with
>3DES and SHA1
>
>And all other traffic can go with AH MD5 and no encyrption is required for
>performance reasons.
>
>In this case, if office2Network SG is mis-configured or they did not even
>configure HTTP policy.
>
>Then SG1 accepts the HTTP traffic and process it.
>After IPSEC processing, SHOULD WE ACCEPT THOSE PACKETS OR DROP THOSE PACKETS, because higher priority SPD policy is created for the HTTP traffic.
>
>Any advice on this would be greatly appreciated
>
>
>Thanks in advance,
>Jyothi
--
The views presented in this mail are completely mine. The company is not responsible for whatsoever.
----------
Ravi Kumar CH
Rendezvous On Chip (i) Pvt Ltd
Hyderabad, India
Ph: +91-40-2335 1214 / 1175 / 1184
ROC home page