[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question on inbound IPSEC policy check
At 9:58 AM +0530 4/29/03, Jyothi wrote:
>Hi,
>
>Office1Network-----SG1---------Internet------------SG2-------Office2Network.
>
>SG1 contains the 2 IPSEC policies:
> 1. protocol TCP and port 80
> 2. protocol ANY
>
>SG2 contains the one IPSEC policy of protocol ANY.
>
>Office2Network starts the IKE negotiation for protocol ANY, after
>the negotiation SG2 will send the HTTP traffic with SAs created.
>
>In IKE negotiation, we are informing the allowable traffic as protocol ANY.
> In this case, HTTP is part of protocol ANY.
>
>So, if SG1 rejects inbound traffic coming from SG2, then how SG2 knows??
>
>Thanks
>Jyothi
I don't understand all of the assumptions underlying your example.
Note that SPD entries are directional, and thus must be separately
defined for inbound and outbound traffic flows. So, please restate
your example in those terms, and let's see if there is a problem.
Ramana's message indicated why this might not be a problem, but until
you state the full set of assumptions about the SPDs at each end, I
don't know how to interpret the example.
Steve