--------- Original Message
--------
From: "Jyothi" <vjyothi@intotoinc.com>
To: "Stephen
Kent" <kent@bbn.com>, "Jyothi" <vjyothi@intotoinc.com>
Cc:
ipsec@lists.tislabs.com
Subject: Re: Question on inbound IPSEC policy
check
Date: Thu 05/01/03 06:08 PM
Hi,
I had a doubt in the following
scenario:
>>Office1Network-----SG1---------Internet------------SG2-------Office2Network.
SG1
has two outbound and two inbound policies of auto key
management
outbound policies:
1. source as office1network,
destination as office2network, protocol as TCP,
source port and
destination port 80. IPSEC attributes: ESP, DES.
This policy is
configured with higher priority.
2. source as office1network,
destination as office2network, protocol as ANY,
IPSEC attributes: AH,
MD5.
This policy is configured with low priority.
inbound
policies:
1. source as office2network, destination as office1network,
protocol as TCP,
source port and destination port 80. IPSEC attributes:
ESP, DES.
This policy is configured with higher priority.
2.
source as office2network, destination as office1network, protocol as
ANY,
IPSEC attributes: AH, MD5.
This policy is configured with low
priority.
SG2 has one outbound and one inbound policy of auto key
management:
outbound policy:
1. source as office2network,
destination as office1network, protocol as ANY,
IPSEC attributes: AH,
MD5.
inbound policy:
1. source as office1network, destination as
office2network, protocol as ANY,
IPSEC attributes: AH, MD5.
SG2
started IKE negotiation with its configured IPSEC policy.
After IKE
negotiation , IPSEC SAs will be created both sides with IPSEC
attributes
: AH and MD5.
When SG2 sends the HTTP traffic with the using above
SAs,
SG1 process the inbound IPSEC packets, after processing it finds the
IPSEC
policy with the packet selectors.
In this case SG1 has
separate IPSEC policy is configured for HTTP traffic
(IPSEC attributes
ESP,DES) with higher priority.
My doubt was "Should we need to drop
such inbound traffic in SG1 side???"
As per Ramana's mail I have gone
through the RFC 2401 section 5.2.1.
Now my understanding is that we
should not drop such traffic.
I hope the above description is
clear.
Please let me know if my understanding is
correct.
Thanks
Jyothi
At 05:14 PM 4/30/03 -0400,
Stephen Kent wrote:
>At 9:58 AM +0530 4/29/03, Jyothi
wrote:
>>Hi,
>>
>>Office1Network-----SG1---------Internet------------SG2-------Office2Network.
>>
>>SG1
contains the 2 IPSEC policies:
>> 1. protocol TCP and port
80
>> 2. protocol ANY
>>
>>SG2 contains the one
IPSEC policy of protocol ANY.
>>
>>Office2Network starts
the IKE negotiation for protocol ANY, after the
>>negotiation SG2
will send the HTTP traffic with SAs created.
>>
>>In IKE
negotiation, we are informing the allowable traffic as protocol
ANY.
>> In this case, HTTP is part of protocol
ANY.
>>
>>So, if SG1 rejects inbound traffic coming from
SG2, then how SG2
knows??
>>
>>Thanks
>>Jyothi
>
>I
don't understand all of the assumptions underlying your example.
Note
>that SPD entries are directional, and thus must be separately
defined for
>inbound and outbound traffic flows. So, please restate
your example in
>those terms, and let's see if there is a problem.
Ramana's message
>indicated why this might not be a problem, but until
you state the full
>set of assumptions about the SPDs at each end, I
don't know how to
>interpret the
example.
>
>Steve