[Vpn-help] Documentation on Policy include/exclude rules?
Matthew Grooms
mgrooms at shrew.net
Thu Nov 20 14:39:57 CST 2008
Robert wrote:
> Using 2.14 on Windows and there isn't much detailed documentation on the
> IPSEC Policy Configuration. I want to define policy rules to include or
> exclude certain network resources.
>
Your right. The documentation is a lacking in this area. I added an item
to my todo list and will try to include more detailed information in the
next release version of the administrators guide.
> First I would uncheck [ ] Obtain Topology Automatically or Tunnel All
>
When this option is enabled, the client will attempt to obtain topology
information automatically from the gateway. Only a few platforms support
this negotiation feature ( ipsec-tools, Cisco and Sidewinder to name a
few ). If no topology information is received, it resorts to forcing all
traffic across the tunnel. When this option is disabled, you need to
manually define policies used for IPsec communications.
The two policy entry types map to the IPsec and None policy types which
are described in the RFC documents. An include entry maps to the IPsec
policy type and is used to process traffic using ESP, AH or IPcomp for
traffic that matches the policy selector IDs. An exclude entry maps to
the None policy type and is used to prevent IPsec processing from being
performed for traffic that matches the policy selector IDs.
The local policy selector ID is determined by the Adapter Addressing
mode configured in the Site Configuration. If a virtual adapter mode is
selected, the virtual adapter address is used. Otherwise the adapter
address that is referenced by the route to the VPN gateway is used. The
remote policy selector ID is defined in the policy entry. For example,
if a client host has a DCHP address of 192.168.1.10, a default gateway
of 192.168.1.1, is communicating with gateway x.x.x.x, is assigned a
virtual adapter address of 10.1.254.20 and has no policy include entries
configured, the client will generate the following IPsec policies ...
Direction, IPsec protocol/mode, src -> dst, peer src -> peer dst
IN, ESP/tunnel, 0.0.0.0/0 -> 10.1.254.20/32, x.x.x.x -> 192.168.1.10
OUT, ESP/tunnel, 10.1.254.20/32 -> 0.0.0.0/0, 192.168.1.10 -> x.x.x.x
If the client has the same configuration but added two policy include
entries for 10.10.1.0/24 and 10.10.3.0/24, the client would generate the
following IPsec policies ...
IN, ESP/tunnel, 10.10.1.0/24 -> 10.1.254.20/32, x.x.x.x -> 192.168.1.10
OUT, ESP/tunnel, 10.1.254.20/32 -> 10.10.1.0/24, 192.168.1.10 -> x.x.x.x
IN, ESP/tunnel, 10.10.3.0/24 -> 10.1.254.20/32, x.x.x.x -> 192.168.1.10
OUT, ESP/tunnel, 10.1.254.20/32 -> 10.10.3.0/24, 192.168.1.10 -> x.x.x.x
If the client has the same configuration but also added a single exclude
entry for 10.1.1.15/32, the client would generate the following IPsec
policies ...
IN, None, 10.10.1.15/32 -> 10.1.254.20/32
OUT, None, 10.1.254.20/32 -> 10.10.1.15/32
IN, ESP/tunnel, 10.10.1.0/24 -> 10.1.254.20/32, x.x.x.x -> 192.168.1.10
OUT, ESP/tunnel, 10.1.254.20/32 -> 10.10.1.0/24, 192.168.1.10 -> x.x.x.x
IN, ESP/tunnel, 10.10.3.0/24 -> 10.1.254.20/32, x.x.x.x -> 192.168.1.10
OUT, ESP/tunnel, 10.1.254.20/32 -> 10.10.3.0/24, 192.168.1.10 -> x.x.x.x
By doing this, the client would perform IPsec processing on all traffic
destined the 10.10.1.0/24 network except for the 10.10.1.15 host. An
exclude policy is generated first and evaluation happens from first to
last. In other words, exclude policies always trump include policies.
> Now, how would I define a policy to "Tunnel All Except x.x.x.x"
> I thought perhaps:
> Include 0.0.0.0 <http://0.0.0.0> / 0.0.0.0 <http://0.0.0.0> (To tunnel all)
> Exclude 10.154.1.0 <http://10.154.1.0> / 255.255.255.0
> <http://255.255.255.0>
> Exclude 192.168.1.0 <http://192.168.1.0> / 255.255.255.0
> <http://255.255.255.0>
>
> But "Include 0.0.0.0 <http://0.0.0.0> / 0.0.0.0 <http://0.0.0.0>" is not
> accepted.
>
If you don't define any include entries, a default policy of 0.0.0.0/0
will always be used. In other words, if you only add an exclude entry,
the client will tunnel everything except for the traffic destined to the
network specified in the exclude policy.
> Going the other way, everything is excluded by default and will only
> tunnel what is defined in the include rules. But it is hard if there are
> more networks on the remote end compared to the local end.
>
By defining one or more include entries, the client will not generate
the 0.0.0.0/0 default policy. In other words, only traffic that is
destined to networks defined in the include entries will be tunneled.
> Also, what happens when Include and Exclude rules have overlapping networks?
> For example:
> Include 192.168.0.0 <http://192.168.0.0> / 255.255.0.0 <http://255.255.0.0>
> Exclude 192.168.1.0 <http://192.168.1.0> / 255.255.255.0
> <http://255.255.255.0>
> So would all 192.168.x.x traffic be tunneled except for 192.168.1.x traffic?
>
> Or the opposite:
> Exclude 192.168.0.0 <http://192.168.0.0> / 255.255.0.0 <http://255.255.0.0>
> Include 192.168.1.0 <http://192.168.1.0> / 255.255.255.0
> <http://255.255.255.0>
>
> I would I need to avoid any overlap and specify networks exactly, either
> by listing them individually or playing around with the subnet mask?
>
As mentioned previously, None policies will alway match traffic before
IPsec processing policies. Exclude always trumps include.
> Thanks,
> Bobby
>
No problem. Hopefully its all clear as mud :)
-Matthew
More information about the vpn-help
mailing list