HP VSR1000 Security Configuration Manual page 188

The following example shows how an improper statement causes unexpected packet dropping. Only the
ACL-related configurations are presented.
Assume Router A connects subnet 1.1.2.0/24 and Router B connects subnet 3.3.3.0/24, and the IPsec
policy configurations on Router A and Router B are as follows:
IPsec configurations on Router A:
•
acl number 3000
rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255
rule 1 deny ip
acl number 3001
rule 0 permit ip source 1.1.2.0 0.0.0.255 destination 3.3.3.0 0.0.0.255
rule 1 deny ip
#
ipsec policy testa 1 isakmp <---IPsec policy entry with a higher priority
security acl 3000
ike-profile aa
transform-set 1
#
ipsec policy testa 2 isakmp <---IPsec policy entry with a lower priority
security acl 3001
ike-profile bb
transform-set 1
• IPsec configurations on Router B:
acl number 3001
rule 0 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.2.0 0.0.0.255
rule 1 deny ip
#
ipsec policy testb 1 isakmp
security acl 3001
ike-profile aa
transform-set 1
On Router A, apply the IPsec policy testa to the outbound interface of Router A. The IPsec policy contains
two policy entries, testa 1 and testa 2. The ACLs referenced by the two policy entries each contain a rule
that matches traffic from 1.1.2.0/24 to 3.3.3.0/24. The one referenced in policy entry testa 1 is a deny
statement and the one referenced in policy entry testa 2 is a permit statement. Because testa 1 is matched
prior to testa 2, traffic from 1.1.2.0/24 to 3.3.3.0/24 will match the deny statement and be sent as
normal traffic. When the traffic arrives at Router B, the traffic matches rule 0 (a permit statement) in ACL
3001 referenced in the applied IPsec policy testb. Because non-IPsec traffic that matches a permit
statement must be dropped on the inbound interface, Router B drops the traffic.
To make sure subnet 1.1.2.0/24 can access subnet 3.3.3.0/24, you can delete the deny rule in ACL
3000 on Router A.
Mirror image ACLs
To make sure SAs can be set up and the traffic protected by IPsec can be processed correctly between
two IPsec peers, create mirror image ACLs on the IPsec peers. As shown in
B are mirror images of the rules on Router A. In this way, SAs can be created successfully for the traffic
between Host A and Host C and for the traffic between Network 1 and Network 2.
178
Figure 53, ACL rules on Router