Manualshelf

R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis
261262263264265266267268269270
252
out as normal packets. If they match a permit statement at the receiving end, they will be dropped
by IPsec.
The following example shows how an improper statement causes unexpected packet dropping. Only the
ACL-related configurations are presented.
Assume Router A connects subnet 1.1.2.0/24 and Router B connects subnet 3.3.3.0/24, and the IPsec
policy configurations on Router A and Router B are as follows:
IPsec configurations on Router A:
acl number 3000
rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255
rule 1 deny ip
acl number 3001
rule 0 permit ip source 1.1.2.0 0.0.0.255 destination 3.3.3.0 0.0.0.255
rule 1 deny ip
#
ipsec policy testa 1 isakmp <---IPsec policy entry with a higher priority
security acl 3000
ike-profile aa
transform-set 1
#
ipsec policy testa 2 isakmp <---IPsec policy entry with a lower priority
security acl 3001
ike-profile bb
transform-set 1
IPsec configurations on Router B:
acl number 3001
rule 0 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.2.0 0.0.0.255
rule 1 deny ip
#
ipsec policy testb 1 isakmp
security acl 3001
ike-profile aa
transform-set 1
On Router A, apply the IPsec policy testa to the outbound interface of Router A. The IPsec policy contains
two policy entries, testa 1 and testa 2. The ACLs referenced by the two policy entries each contain a rule
that matches traffic from 1.1.2.0/24 to 3.3.3.0/24. The one referenced in policy entry testa 1 is a deny
statement and the one referenced in policy entry testa 2 is a permit statement. Because testa 1 is matched
prior to testa 2, traffic from 1.1.2.0/24 to 3.3.3.0/24 will match the deny statement and be sent as
normal traffic. When the traffic arrives at Router B, the traffic matches rule 0 (a permit statement) in ACL
3001 referenced in the applied IPsec policy testb. Because non-IPsec traffic that matches a permit
statement must be dropped on the inbound interface, Router B drops the traffic.
To make sure subnet 1.1.2.0/24 can access subnet 3.3.3.0/24, you can delete the deny rule in ACL
3000 on Router A.
Mirror image ACLs
To make sure SAs can be set up and the traffic protected by IPsec can be processed correctly between
two IPsec peers, create mirror image ACLs on the IPsec peers. As shown in Figure 78, A
CL rules on Router