Re: Question on inbound IPSEC policy check

[Ramana Yarlagadda <ramana.yarlagadda@analog.com>]

Hi, Jyothi


>Office1Network-----SG1---------Internet------------SG2-------Office2Network.
>
>SG1 contains the 2 IPSEC policies:
>     1. protocol TCP and port 80
>     2. protocol ANY
>
>SG2 contains the one IPSEC policy of protocol ANY.
>
>Office2Network starts the IKE negotiation for protocol ANY, after the 
>negotiation SG2 will send the HTTP traffic with SAs created.
>
>In IKE negotiation, we are informing the allowable traffic as protocol ANY.
>  In this case, HTTP is part of protocol ANY.
>
>So, if SG1 rejects inbound traffic coming from SG2,  then how SG2 knows??
>

Why do you think the inbound traffic will be dropped? To my understanding 
the traffic will not be discarded.
On SG1 the incoming SA (that is been setup by IKE) will be used to process 
the packet. And then it will try
to find a matching IPSEC policy . The first matching entry will be protocol 
specific , where the SA is not of
that policy. So you might be thinking that this will result to drop the 
packet. But if you go through section 5.2.1
you will see a NOTE where it is clearly described this case( and as follows)

NOTE: The correct "matching" policy will not necessarily
               be the first inbound policy found.  If the check in (4)
               fails, steps (3) and (4) are repeated until all policy
               entries have been checked or until the check succeeds


-ramana



>>>If we reject the traffic, how do we inform the peer???
>>>I think there might be some inter-operability issues.



>>If the SAs are established using IKE, then the payloads passed during the 
>>IKE negotiations will inform the peer of the range of allowable traffic, 
>>so it will not be a surprise.