R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

161

162

163

164

165

166

167

168

169

170

155

The matching process stops once a match is found or ends with no match hit. The packet is handled as

follows:

• Each ACL rule matches both the outbound traffic and the returned inbound traffic. Suppose there is

a rule as shown in Figure 100. T

his rule matches both traffic from 1.1.1.0 to 2.2.2.0 and returned

traffic from 2.2.2.0 to 1.1.1.0.

Figure 100 An ACL referenced in an IPsec policy

• In the outbound direction, if a permit statement is matched, IPsec considers the packet as requiring

protection and continues to process it. If a deny statement is matched or no match is found, IPsec

considers the packet as not requiring protection and delivers it to the next function module.

• In the inbound direction, if the packet is an IPsec packet and matches a permit statement, IPsec

receives and processes the packet. If the packet is not an IPsec packet and matches a permit

statement, it is discarded.

When defining ACL rules for IPsec, follow these guidelines:

• Make sure that only the data flows to be protected by IPsec are defined in permit statements. If a

packet is protected at the entry of the IPsec tunnel but not at the exit of the IPsec tunnel, it will be

dropped.

• Avoid statement conflicts in the scope of IPsec policy groups. When creating a deny statement, be

careful with its matching scope and matching order relative to permit statements. The policies in an

IPsec policy group have different match priorities. ACL rule conflicts between them are prone to

cause mistreatment of packets. For example, when you configure a permit statement for an IPsec

policy to protect an outbound traffic flow, you must avoid the situation that the traffic flow matches

a deny statement in a higher priority IPsec policy. Otherwise, the packets will be sent out as normal

packets; if they match a permit statement at the receiving end, they will be dropped by IPsec.

The following uses a configuration example to show how a statement conflict causes packet drop. In this

example, only the ACL-related configurations are presented.

Device A connects the segment 1.1.2.0/24 and Device B connects the segment 3.3.3.0/24. On Device

A, apply the IPsec policy group test to the outbound interface to Device B. The IPsec policy group

contains two policies, test 1 and test 2. The ACLs referenced by the two policies each contain a rule that

matches traffic from 1.1.2.0/24 to 3.3.3.0/24. The one referenced in policy test 1 is a deny statement

and the one referenced in policy test 2 is a permit statement. Because test 1 is matched prior to test 2,

traffic from 1.1.2.0/24 to 3.3.3.0/24 will match the deny statement and sent as normal traffic. When the

traffic arrives at Device B, it will be dropped if it matches a permit statement in the ACL referenced in the

applied IPsec policy.

The configurations on Device A are shown in

Figure 101, Figure 102,

and Figure 103.