HP VPN Firewall Appliances VPN Configuration Guide
165
To make sure that SAs can be set up and the traffic protected by IPsec can be processed correctly
at the remote peer, on the remote peer, create a mirror image ACL rule for each ACL rule created
at the local peer. As shown in Figure 126, ACL rul
es on Firewall B are mirror images of the rules
on
Firewall A. This makes sure that SAs can be created successfully for the traffic between Host A
and Host C and the traffic between Network 1 and Network 2.
Figure 126 Mirror image ACLs
If the ACL rules on peers do not form mirror images of each other, SAs can be set up only when
both of the following requirements are met:
{ The range specified by an ACL rule on one peer is covered by its counterpart ACL rule on the
other peer. As shown in Figure 127, the range specif
ied by the ACL rule configured on Firewall
A is covered by its counterpart on Firewall B.
{ The peer with the narrower rule initiates SA negotiation. If a wider ACL rule is used by the SA
initiator, the negotiation request might be rejected because the matching traffic is beyond the
scope of the responder. As shown in Figure 127, the S
A negotiation initia
ted by Host A to Host
C is accepted but the SA negotiations from Host C to Host B or from Host D to Host A is rejected.
Figure 127 Non-mirror image ACLs
3. Protection modes
Data flows can be protected in the following modes:
{ Standard mode—One tunnel protects one data flow. The data flow permitted by an ACL rule is
protected by one tunnel that is established solely for it.
{ Aggregation mode—One tunnel protects all data flows permitted by all the rules of an ACL. This
mode is configurable only in IPsec policies that use IKE negotiation.