Tunnel policies

Tunnel policies control how traffic being sent or received through an IPSec tunnel should be processed.

• Traffic which comes in through the tunnel must match the criteria specified in the policy in order to be accepted.

• Traffic which is being sent out through the tunnel is encoded according to the criteria specified in the policy.

Tunnel policies are specified as entries in the file

    %ETC%\SECURITY\POLICY

Note: It is possible to use a different file name; however, doing so will cause an error in CFGFILT when the filter rules are activated.

Each policy is specified on a single line in this file. A policy entry takes the following format:

    <srcip> <destip> <tunnel> <esp>/<ah> <esp_mode>/<ah_mode> <ah_first>

The first three fields are used to identify the tunnel. The remaining fields define the tunnel's behaviour.

Tunnel policies are activated with the FWINSERT command from within the directory containing the policy file:

    fwinsert policy

This command purges any active policy entries within the IPSec driver, and replaces them with those defined in the policy file.

Corresponding policies must be in place on each host (local and partner).