[Vpn-help] Documentation on Policy include/exclude rules?

Matthew Grooms mgrooms at shrew.net
Thu Nov 20 14:39:57 CST 2008


Robert wrote:
> Using 2.14 on Windows and there isn't much detailed documentation on the 
> IPSEC Policy Configuration. I want to define policy rules to include or 
> exclude certain network resources.
> 

Your right. The documentation is a lacking in this area. I added an item 
to my todo list and will try to include more detailed information in the 
next release version of the administrators guide.

> First I would uncheck [ ] Obtain Topology Automatically or Tunnel All
> 

When this option is enabled, the client will attempt to obtain topology 
information automatically from the gateway. Only a few platforms support 
this negotiation feature ( ipsec-tools, Cisco and Sidewinder to name a 
few ). If no topology information is received, it resorts to forcing all 
traffic across the tunnel. When this option is disabled, you need to 
manually define policies used for IPsec communications.

The two policy entry types map to the IPsec and None policy types which 
are described in the RFC documents. An include entry maps to the IPsec 
policy type and is used to process traffic using ESP, AH or IPcomp for 
traffic that matches the policy selector IDs. An exclude entry maps to 
the None policy type and is used to prevent IPsec processing from being 
performed for traffic that matches the policy selector IDs.

The local policy selector ID is determined by the Adapter Addressing 
mode configured in the Site Configuration. If a virtual adapter mode is 
selected, the virtual adapter address is used. Otherwise the adapter 
address that is referenced by the route to the VPN gateway is used. The 
remote policy selector ID is defined in the policy entry. For example, 
if a client host has a DCHP address of 192.168.1.10, a default gateway 
of 192.168.1.1, is communicating with gateway x.x.x.x, is assigned a 
virtual adapter address of 10.1.254.20 and has no policy include entries 
configured, the client will generate the following IPsec policies ...

Direction, IPsec protocol/mode, src -> dst, peer src -> peer dst

IN,  ESP/tunnel, 0.0.0.0/0 -> 10.1.254.20/32, x.x.x.x -> 192.168.1.10
OUT, ESP/tunnel, 10.1.254.20/32 -> 0.0.0.0/0, 192.168.1.10 -> x.x.x.x

If the client has the same configuration but added two policy include 
entries for 10.10.1.0/24 and 10.10.3.0/24, the client would generate the 
following IPsec policies ...

IN,  ESP/tunnel, 10.10.1.0/24 -> 10.1.254.20/32, x.x.x.x -> 192.168.1.10
OUT, ESP/tunnel, 10.1.254.20/32 -> 10.10.1.0/24, 192.168.1.10 -> x.x.x.x

IN,  ESP/tunnel, 10.10.3.0/24 -> 10.1.254.20/32, x.x.x.x -> 192.168.1.10
OUT, ESP/tunnel, 10.1.254.20/32 -> 10.10.3.0/24, 192.168.1.10 -> x.x.x.x

If the client has the same configuration but also added a single exclude 
entry for 10.1.1.15/32, the client would generate the following IPsec 
policies ...

IN,  None, 10.10.1.15/32 -> 10.1.254.20/32
OUT, None, 10.1.254.20/32 -> 10.10.1.15/32

IN,  ESP/tunnel, 10.10.1.0/24 -> 10.1.254.20/32, x.x.x.x -> 192.168.1.10
OUT, ESP/tunnel, 10.1.254.20/32 -> 10.10.1.0/24, 192.168.1.10 -> x.x.x.x

IN,  ESP/tunnel, 10.10.3.0/24 -> 10.1.254.20/32, x.x.x.x -> 192.168.1.10
OUT, ESP/tunnel, 10.1.254.20/32 -> 10.10.3.0/24, 192.168.1.10 -> x.x.x.x

By doing this, the client would perform IPsec processing on all traffic 
destined the 10.10.1.0/24 network except for the 10.10.1.15 host. An 
exclude policy is generated first and evaluation happens from first to 
last. In other words, exclude policies always trump include policies.

> Now, how would I define a policy to "Tunnel All Except x.x.x.x"
> I thought perhaps:
> Include 0.0.0.0 <http://0.0.0.0> / 0.0.0.0 <http://0.0.0.0> (To tunnel all)
> Exclude 10.154.1.0 <http://10.154.1.0> / 255.255.255.0 
> <http://255.255.255.0>
> Exclude 192.168.1.0 <http://192.168.1.0> / 255.255.255.0 
> <http://255.255.255.0>
> 
> But "Include 0.0.0.0 <http://0.0.0.0> / 0.0.0.0 <http://0.0.0.0>" is not 
> accepted.
> 

If you don't define any include entries, a default policy of 0.0.0.0/0 
will always be used. In other words, if you only add an exclude entry, 
the client will tunnel everything except for the traffic destined to the 
network specified in the exclude policy.

> Going the other way, everything is excluded by default and will only 
> tunnel what is defined in the include rules. But it is hard if there are 
> more networks on the remote end compared to the local end.
> 

By defining one or more include entries, the client will not generate 
the 0.0.0.0/0 default policy. In other words, only traffic that is 
destined to networks defined in the include entries will be tunneled.

> Also, what happens when Include and Exclude rules have overlapping networks?
> For example:
> Include 192.168.0.0 <http://192.168.0.0> / 255.255.0.0 <http://255.255.0.0>
> Exclude 192.168.1.0 <http://192.168.1.0> / 255.255.255.0 
> <http://255.255.255.0>
> So would all 192.168.x.x traffic be tunneled except for 192.168.1.x traffic?
> 
> Or the opposite:
> Exclude 192.168.0.0 <http://192.168.0.0> / 255.255.0.0 <http://255.255.0.0>
> Include 192.168.1.0 <http://192.168.1.0> / 255.255.255.0 
> <http://255.255.255.0>
> 
> I would I need to avoid any overlap and specify networks exactly, either 
> by listing them individually or playing around with the subnet mask?
> 

As mentioned previously, None policies will alway match traffic before 
IPsec processing policies. Exclude always trumps include.

> Thanks,
> Bobby
> 

No problem. Hopefully its all clear as mud :)

-Matthew



More information about the vpn-help mailing list