F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

171

172

173

174

175

176

177

178

179

180

168

• Avoid statement conflicts in the scope of IPsec policy groups. When creating a deny statement, be

careful with its matching scope and matching order relative to permit statements. The policies in an

IPsec policy group have different match priorities. ACL rule conflicts between them are prone to

cause mistreatment of packets. For example, when configuring a permit statement for an IPsec

policy to protect an outbound traffic flow, you must avoid the situation that the traffic flow matches

a deny statement in a higher priority IPsec policy. Otherwise, the packets will be sent out as normal

packets. If they match a permit statement at the receiving end, they will be dropped by IPsec.

The following configuration example shows how an improper statement causes unexpected packet

dropping. Only the ACL-related configurations are presented.

Firewall A connects the segment 1.1.2.0/24 and Firewall B connects the segment 3.3.3.0/24. On

Firewall A, apply the IPsec policy group test to the outbound interface of Firewall A. The IPsec policy

group contains two policies, test 1 and test 2. The ACLs referenced by the two policies each contain a

rule that matches traffic from 1.1.2.0/24 to 3.3.3.0/24. The one referenced in policy test 1 is a deny

statement and the one referenced in policy test 2 is a permit statement. Because test 1 is matched prior

to test 2, traffic from 1.1.2.0/24 to 3.3.3.0/24 will match the deny statement and sent as normal traffic.

When the traffic arrives at Firewall B, it will be dropped if it matches a permit statement in the ACL

referenced in the applied IPsec policy.

• Configure Firewall A:

acl number 3000

rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255

rule 1 deny ip

acl number 3001

rule 0 permit ip source 1.1.2.0 0.0.0.255 destination 3.3.3.0 0.0.0.255

rule 1 deny ip

ipsec policy test 1 isakmp

security acl 3000

ike-peer aa

transform-set 1

ipsec policy test 2 isakmp

security acl 3001

ike-peer bb

transform-set 1

• Configure Firewall B:

acl number 3001

rule 0 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.2.0 0.0.0.255

rule 1 deny ip

ipsec policy test 1 isakmp

security acl 3001

ike-peer aa

transform-set 1

2. Mirror image ACLs

To make sure that SAs can be set up and the traffic protected by IPsec can be processed correctly at the

remote peer, on the remote peer, create a mirror image ACL rule for each ACL rule created at the local

peer. As shown in

788HFigure 126, ACL rules on Firewall B are mirror images of the rules on Firewall A. This