Ipsec Session Interuption/Recovery - Cisco ASR 1000 Series Common Criteria Operational User Guidance And Preparative Procedures

 The 'discard' option is accomplished using access lists with deny entries, which are
applied to interfaces within access-groups. Guidance for configuration of IOS
Information Flow Policies is located in the [23] Under "IP Access List Overview"
 The 'bypassing' option is accomplished using access lists with deny entries, which
are applied to interfaces within crypto maps for IPsec. Guidance for configuration of
entries for IPsec is in [10]
 The 'protecting' option is accomplished using access lists with permit entries, which
are applied to interfaces within crypto maps for IPsec VPN.
The criteria used in matching traffic in all of these access lists includes the source and destination
address, and optionally the Layer 4 protocol and port.
The TOE enforces information flow policies on network packets that are receive by TOE
interfaces and leave the TOE through other TOE interfaces. When network packets are received
on a TOE interface, the TOE verifies whether the network traffic is allowed or not and performs
one of the following actions, pass/not pass information, as well as optional logging.
4.6.6

IPsec Session Interuption/Recovery

If an IPsec session with a peer is unexpectedly interrupted, the connection will be broken. In
these cases, no administrative interaction is required. The IPsec session will be reestablished (a
new SA set up) once the peer is back online.
Page 42 of 72