Avaya Configuring IPsec Services Bedienungsanleitung PDF herunterladen (Seite 47)

Starting IPsec

308630-15.1 Rev 00

3-3

Specifying an Action

The action specification in a policy controls how a packet that matches the

specified criteria is processed. You decide how you want packets to be processed

and apply one or more policies to implement your decision.

With IPsec, a packet can be processed in one of three ways:

• The packet can be dropped.

• The packet can be transmitted or received without alteration.

• The packet can be protected (outbound only). In this case, an SA is linked to

the policy.

In addition to processing a packet or in the absence of a processing action, packet

receipt or transmission can be recorded in a log. The corresponding policy actions

are:

• Drop

• Bypass

• Protect (outbound only)

• Log (a message is written to the router log)

The drop, bypass, and protect actions are mutually exclusive. You can specify a

logging action for any of these, or in their absence. If an incoming packet that

does not match any configured policy arrives at an IPsec interface, it is dropped.

Policy Considerations

When you configure an interface with IPsec, all inbound and outbound traffic on

that interface is processed by IPsec, including traffic being forwarded. (However,

see “

Configuring IPsec and NAT on One Interface” on page 1-2.)

For unicast traffic containing routing or control information, consider configuring

policies that allow such traffic to bypass IPsec. For example, to allow ICMP traffic

(such as “ping” or “destination unreachable” messages) to bypass IPsec

processing, configure the first policy for the interface with the protocol criterion

set to 1 (ICMP) and the action specification set to bypass.

If a data packet matches the criteria for more than one policy, the first matching

policy is applied.

1 2 ... 42 43 44 45 46 47 48 49 50 51 52 ... 121 122

Keine Kommentare

Avaya Configuring IPsec Services Bedienungsanleitung Seite 47