[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question on inbound IPSEC policy check
Hi,
If we reject the traffic, how do we inform the peer???
I think there might be some inter-operability issues.
Thanks
Jyothi
At 02:13 PM 4/25/03 -0400, Stephen Kent wrote:
>At 1:03 PM +0530 4/23/03, Jyothi wrote:
>>Hi all,
>>
>>I have a question regarding the inbound SPD policy checking.
>>
>>Please consider the following scenario:
>>
>>Office1Network-----SG1---------Internet------------SG2-------Office2Network.
>>
>>Office1Network has HTTP as well as other services hosted.
>>Office1 administartor wants to make sure that all HTTP traffic has to go with
>>3DES and SHA1
>>
>>And all other traffic can go with AH MD5 and no encyrption is required for
>>performance reasons.
>>
>>In this case, if office2Network SG is mis-configured or they did not even
>>configure HTTP policy.
>> office2Network administrator is configured only one policy for all
>> traffic with AH MD5
>>Then SG1 accepts the HTTP traffic and process it.
>>After IPSEC processing, SHOULD WE ACCEPT THOSE PACKETS OR DROP THOSE
>>PACKETS, because higher priority SPD policy is created for the HTTP traffic.
>>
>>Any advice on this would be greatly appreciated
>>
>>
>>Thanks in advance,
>>Jyothi
>
>Yes, the exit check at SG1 should reject traffic that has either source
>or dest port = 80, consistent with the policy you articulated above.