156
Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51
and 50 respectively. Make sure that flows of these protocols are not denied on the interfaces with IKE
or IPsec configured.
Configuring an ACL
ACLs can be used to identify traffic. They are widely used in scenarios where traffic identification is
desired, such as QoS and IPsec.
Keywords in ACL rules
IPsec uses ACLs to identify data flows. An ACL is a collection of ACL rules. Each ACL rule is a deny
or permit statement. A permit statement identifies a data flow protected by IPsec, and a deny
statement identifies a data flow that is not protected by IPsec. With IPsec, a packet is matched
against the referenced ACL rules and processed according to the first rule that it matches:
• Each ACL rule matches both the outbound traffic and the returned inbound traffic. Suppose
there is a rule rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255. This
rule matches both traffic from 1.1.1.0 to 2.2.2.0 and traffic from 2.2.2.0 to 1.1.1.0.
• In the outbound direction, if a permit statement is matched, IPsec considers that the packet
requires protection and continues to process it. If a deny statement is matched or no match is
found, IPsec considers that the packet does not require protection and delivers it to the next
function module.
• In the inbound direction:
{ Non-IPsec packets that match a permit statement are dropped.
{ IPsec packets that match a permit statement and are destined for the device itself are
de-encapsulated and matched against the rule again. Only those that match a permit
statement are processed by IPsec.
When defining ACL rules for IPsec, follow these guidelines:
• Permit only data flows that need to be protected and use the any keyword with caution. With the
any keyword specified in a permit statement, all outbound traffic matching the permit statement
will be protected by IPsec and all inbound IPsec packets matching the permit statement will be
received and processed, but all inbound non-IPsec packets will be dropped. This will cause the
inbound traffic that does not need IPsec protection to be all dropped.
• Avoid statement conflicts in the scope of IPsec policy groups. When creating a deny statement,
be careful with its matching scope and matching order relative to permit statements. The
policies in an IPsec policy group have different match priorities. ACL rule conflicts between
them are prone to cause mistreatment of packets. For example, when configuring a permit
statement for an IPsec policy to protect an outbound traffic flow, you must avoid the situation
that the traffic flow matches a deny statement in a higher priority IPsec policy. Otherwise, the
packets will be sent out as normal packets. If they match a permit statement at the receiving
end, they will be dropped by IPsec.
The following configuration example shows how an improper statement causes unexpected packet
dropping. Only the ACL-related configurations are presented.
Router A connects the segment 1.1.2.0/24 and Router B connects the segment 3.3.3.0/24. On
Router A, apply the IPsec policy group test to the outbound interface of Router A. The IPsec policy
group contains two policies, test 1 and test 2. The ACLs referenced by the two policies each contain
a rule that matches traffic from 1.1.2.0/24 to 3.3.3.0/24. The one referenced in policy test 1 is a deny
statement and the one referenced in policy test 2 is a permit statement. Because test 1 is matched
prior to test 2, traffic from 1.1.2.0/24 to 3.3.3.0/24 will match the deny statement and sent as normal
traffic. When the traffic arrives at Router B, it will be dropped if it matches a permit statement in the
ACL referenced in the applied IPsec policy.
• Configure Router A:
acl number 3000
rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255
To Next Page
Loading...
Need help?
General
