HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

171

172

173

174

175

176

177

178

179

180

164

received and processed, but all inbound non-IPsec packets will be dropped. This will cause the

inbound traffic that does not need IPsec protection to be all dropped.

{ Avoid statement conflicts in the scope of IPsec policy groups. When creating a deny statement,

be careful with its matching scope and matching order relative to permit statements. The policies

in an IPsec policy group have different match priorities. ACL rule conflicts between them are

prone to cause mistreatment of packets. For example, when configuring a permit statement for

an IPsec policy to protect an outbound traffic flow, you must avoid the situation that the traffic

flow matches a deny statement in a higher priority IPsec policy. Otherwise, the packets will be

sent out as normal packets. If they match a permit statement at the receiving end, they will be

dropped by IPsec.

The following configuration example shows how an improper statement causes unexpected packet

dropping. Only the ACL-related configurations are shown.

Firewall A connects the segment 1.1.2.0/24 and Firewall B connects the segment 3.3.3.0/24.

On Firewall A, apply the IPsec policy group test to the outbound interface of Firewall A. The IPsec

policy group contains two policies, test 1 and test 2. The ACLs referenced by the two policies each

contain a rule that matches traffic from 1.1.2.0/24 to 3.3.3.0/24. The one referenced in policy

test 1 is a deny statement and the one referenced in policy test 2 is a permit statement. Because test

1 is matched prior to test 2, traffic from 1.1.2.0/24 to 3.3.3.0/24 will match the deny statement

and sent as normal traffic. When the traffic arrives at Firewall B, it will be dropped if it matches a

permit statement in the ACL referenced in the applied IPsec policy.

{ Configure Firewall A:

acl number 3000

rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255

rule 1 deny ip

acl number 3001

rule 0 permit ip source 1.1.2.0 0.0.0.255 destination 3.3.3.0 0.0.0.255

rule 1 deny ip

ipsec policy test 1 isakmp

security acl 3000

ike-peer aa

transform-set 1

ipsec policy test 2 isakmp

security acl 3001

ike-peer bb

transform-set 1

{ Configure Firewall B:

acl number 3001

rule 0 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.2.0 0.0.0.255

rule 1 deny ip

ipsec policy test 1 isakmp

security acl 3001

ike-peer aa

transform-set 1

2. Mirror image ACLs