Avaya Configuring IP Security Services Manual do Utilizador descarregar pdf (Página 47)

Configuring IPsec

304111-B Rev 00

3-3

Specifying an Action

The action specification in a policy controls how a packet that matches the

specified criteria (and criteria range) is processed. You decide how you want

packets to be processed and apply a policy to implement your decision.

With IPsec, a packet can be processed in one of three ways:

• The packet can be dropped.

• The packet can be transmitted or received without alteration.

• The packet can be protected (outbound only). In this case, an SA is linked to

the policy.

In addition to processing a packet or in the absence of a processing action, packet

receipt or transmission can be recorded in a log. The corresponding policy actions

are:

•Drop

• Bypass

• Protect (outbound only)

• Log (a message will be written to the router log)

The drop, bypass, and protect actions are mutually exclusive. You can specify a

logging action for any of these, or in their absence. Note that if an incoming

packet that does not match any configured policy arrives at an IPsec interface, it is

dropped by default.

Policy Considerations

When you configure a WAN interface with IPsec, all inbound and outbound traffic

on that interface is processed by IPsec, including traffic being forwarded.

For unicast traffic containing routing or control information, consider configuring

policies that allow such traffic to bypass IPsec. For example, to allow ICMP traffic

(such as “ping” or “destination unreachable” messages) to bypass IPsec

processing, configure the first policy for the interface with the protocol criterion

set to number 1 (ICMP) and the action specification set to bypass.

If a data packet matches the criteria for more than one policy, the first matching

policy is used.

1 2 ... 42 43 44 45 46 47 48 49 50 51 52 ... 99 100

Sem comentários

Avaya Configuring IP Security Services Manual do Utilizador Página 47