Policy-based routing allows
traffic that is described in a routing rule to be routed by using
one or more route tables. When IP security is active on a TCP/IP stack
that is using policy-based routing, it is important to understand
how the two functions interact. On a stack with IP security active,
traffic can be encapsulated in an AH, ESP, or UDP-encapsulated ESP
header. An additional IP header can be added if the encapsulated traffic
is being sent to a security gateway (that is, the remote tunnel endpoint
is not the same as the remote data endpoint). A matching routing rule
is selected based on the characteristics of the original non-encapsulated
traffic. The route tables that are associated with the matching routing
rule and action are used to route the encapsulated traffic.
For example, assume the following configuration:
- An IPSec filter rule, FilterRule1, is configured for traffic with
source address 9.1.1.1 and destination address 167.0.0.0/8 to have
IPSec protection. Traffic is encapsulated and sent to router 9.2.2.2,
the security gateway.
- A routing rule, FTPRULE, is configured for FTP traffic with source
address 9.1.1.1. The associated action specifies that route table
FTPRTES is to be used to route traffic and that the main route table
is not to be searched.
Given this configuration, the following processing is performed
for FTP traffic sent from IP address 9.1.1.1 to IP address 167.1.1.1:
- The FTP traffic matches routing rule FTPRULE, and a route is found
in route table FTPRTES that is used to route to destination 167.1.1.1.
- The FTP traffic matches IPSec filter rule FilterRule1.
- The FTP traffic is encapsulated and a new IP header is added with
destination address 9.2.2.2.
- The encapsulated packet is routed based on the routes that are
defined in route table FTPRTES. To successfully send the traffic,
route table FTPRTES must also contain a route that is used to route
to destination 9.2.2.2. Otherwise, the traffic would be sent by using
the route that is found to destination 167.1.1.1. The success of the
traffic depends on network connectivity.
Requirement: When a routing rule applies
to traffic that is to be IPSec encapsulated and sent to a security
gateway, the route tables that are associated with the routing rule
and action must contain a route that can be used to reach the security
gateway, as well as a route that can be used to reach the original
destination.
For more information about IP security, see IP security.