H3C Technologies H3C SecPath F1000-E User Manual

8

•

Each ACL rule matches both the outbound traffic and the returned inbound traffic. Suppose there is

a rule rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255. This rule matches

both traffic from 1.1.1.0 to 2.2.2.0 and traffic from 2.2.2.0 to 1.1.1.0.

•

In the outbound direction, if a permit statement is matched, IPsec considers the packet as requiring

protection and continues to process it. If a deny statement is matched or no match is found, IPsec
considers the packet as not requiring protection and delivers it to the next function module.

•

In the inbound direction, all IPsec packets matching a permit statement are processed by IPsec, and
all non-IPsec packets that match a permit statement are discarded.

When defining ACL rules for IPsec, follow these guidelines:

•

Permit only the traffic that needs to be protected and use the any keyword with caution. With the
any keyword specified in a permit statement, all outbound traffic matching the permit statement will

be protected by IPsec and all inbound IPsec packets matching the permit statement will be received

and processed, while all inbound non-IPsec packets will be dropped. This will cause the inbound

traffic that does not need IPsec protection to be all dropped.

•

Avoid statement conflicts in the scope of IPsec policy groups. When creating a deny statement, be
careful with its matching scope and matching order relative to permit statements. The policies in an

IPsec policy group have different match priorities. ACL rule conflicts between them are prone to
cause mistreatment of packets. For example, when configuring a permit statement for an IPsec

policy to protect an outbound traffic flow, you must avoid the situation that the traffic flow matches

a deny statement in a higher priority IPsec policy. Otherwise, the packets will be sent out as normal

packets; if they match a permit statement at the receiving end, they will be dropped by IPsec.

The following configuration example shows how an improper statement causes unexpected packet

dropping. Only the ACL-related configurations are presented.
Router A connects the segment 1.1.2.0/24 and Router B connects the segment 3.3.3.0/24. On Router A,

apply the IPsec policy group test to the outbound interface of Router A. The IPsec policy group contains

two policies, test 1 and test 2. The ACLs referenced by the two policies each contain a rule that matches

traffic from 1.1.2.0/24 to 3.3.3.0/24. The one referenced in policy test 1 is a deny statement and the one

referenced in policy test 2 is a permit statement. Because test 1 is matched prior to test 2, traffic from

1.1.2.0/24 to 3.3.3.0/24 will match the deny statement and sent as normal traffic. When the traffic
arrives at Router B, it will be dropped if it matches a permit statement in the ACL referenced in the applied

IPsec policy.
Configuration on Router A:

acl number 3000

rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255

rule 1 deny ip

acl number 3001

rule 0 permit ip source 1.1.2.0 0.0.0.255 destination 3.3.3.0 0.0.0.255

rule 1 deny ip

#

ipsec policy test 1 isakmp

security acl 3000

ike-peer aa

proposal 1

#

ipsec policy test 2 isakmp

security acl 3001

ike-peer bb