IPSec Policy and Traffic Policy - Which is first? (kinda newbie question)

  • We're about to test a vpn site-to-site on ipsec tunnel mode.
    Should we assume that no traffic is allowed between these two sites before the successful completion of IPSec Tunnel (phase i and phase ii) and SA established?
    is this a configurable behaviour?
    Assuming there is a ipsec policy (which defines tunnel configuration between the sites) and a Traffic policy (which is the firewall policy for the traffic between these two sites) What is the order these two policies apply?

    Thank you

  • I'm not sure I understand your question. If the IPsec tunnel connection is not finished, there can be no communication over the tunnel by the firewalls or any devices behind them. Once the tunnel is up, any firewall rules you have defined for IPsec will take effect.

  • This is the test i've been doing and driving me confused:

    Host1–-(Subnet1) ----VPNServer01------VPNServer02------(Subnet2)---Host2

    Assume an ipsec vpn site-to-site (tunnel mode) scenario joining two subnets

    test 1:
    step1:IPSec tunnel is succesfully established between the two vpn servers.
    step2:ICMP traffic between two hosts is ok
    step3:IPSec is stopped in VPNServer01
    step4:ICMP traffic between two hosts is stopped

    test 2:
    step5:IPSec services are stopped in the two vpn servers
    step6:ICMP traffic between two hosts is ok (icmp traffic is not encrypted , just plain icmp without encryption)
    step7:IPSec is started in only VPNServer01 (IPSec in VPNServer02 remains stopped)
    step8:ICMP traffic between two hosts goes on normally

    Why is ICMP traffic not being stopped at step8 in test2?
    is this behaviour is configurable? how?
    How can i get traffic being stopped between these two subnets whenever IPSec tunnel is not established?


  • Hi,

    what about step6? there is something wrong..this is not possible with inactive tunnel.

    Check ur routing tables, maybe pakets get routed directly. Post ur networkconfig (site1 site2 wan)


Log in to reply