05-27-2012 02:51 PM
I've configured a ipsec routing policy on the UAC that protects a resource, say 10.0.0.0/24 for use with dynamic VPNs using Pulse client. I have configured the SRX IPSEC policies and the VPN sets up OK. When I configure an exception in the UAC routing policy, e.g. 10.0.0.1 the traffic gets dropped. The traffic from the client gets sent in the clear to the SRX but the traffic would appear to be hitting the policy based VPN rule and being dropped. Does anyone know what the expected behaviour of the 'exception' feature is in the UAC IPSEC routing policy and how this gets pushed down to the SRX in terms of ipsec policy etc.
05-27-2012 11:07 PM
In IPsec routing policies you can specify a range of exceptions for traffic to certain resources that you do not want to use IPsec. The exceptions can fall within the ranges of resources that the Infranet Enforcer protects. In this case, if you create an exception for traffic that flows through the Infranet Enforcer, you must also create another policy on the Infranet Enforcer that allows the exception traffic to flow through.
For example, you might create an IPsec routing policy that uses IPsec for 0.0.0.0/0 (the entire network). In the same policy, you can specify the resources that are exceptions and that do not use IPsec, such as 172.24.80.30 (the IC Series device), 172.24.80.31 (the Infranet Enforcer), and 172.24.144/21 (a wireless network).
05-28-2012 10:25 PM
thanks for the reply,
so would I need to create a specific security rule on the SRX with the source and destination defined for the exception and have that above the policy based tunnel uac rule or would the exception traffic use a Source IP enforcement uac rule on the SRX. Currently on the SRX I have a policy based tunnel enforcement rule above a Source IP enforcement rule. The exception traffic is sent unencrypted from the Pulse client to the SRX and hits the tunnel rule where the debug shows it getting dropped, it doesn't appear to be passed to the Source IP enforment rule.
05-29-2012 11:52 PM
Is there a corresponding resource access policy in the IC for these exception traffic/network, associated with the user role.So that even though they are not routed via the tunnel, SRX can allow the traffic based on source IP enforcement.