Considerations for using policy-based routing with IP security

Policy-based routing allows traffic that is described in a routing rule to be routed by using one or more route tables. When IP security is active on a TCP/IP stack that is using policy-based routing, it is important to understand how the two functions interact. On a stack with IP security active, traffic can be encapsulated in an AH, ESP, or UDP-encapsulated ESP header. An additional IP header can be added if the encapsulated traffic is being sent to a security gateway (that is, the remote tunnel endpoint is not the same as the remote data endpoint). A matching routing rule is selected based on the characteristics of the original non-encapsulated traffic. The route tables that are associated with the matching routing rule and action are used to route the encapsulated traffic.

For example, assume the following configuration:

  • An IPSec filter rule, FilterRule1, is configured for traffic with source address 9.1.1.1 and destination address 167.0.0.0/8 to have IPSec protection. Traffic is encapsulated and sent to router 9.2.2.2, the security gateway.
  • A routing rule, FTPRULE, is configured for FTP traffic with source address 9.1.1.1. The associated action specifies that route table FTPRTES is to be used to route traffic and that the main route table is not to be searched.

Given this configuration, the following processing is performed for FTP traffic sent from IP address 9.1.1.1 to IP address 167.1.1.1:

  1. The FTP traffic matches routing rule FTPRULE, and a route is found in route table FTPRTES that is used to route to destination 167.1.1.1.
  2. The FTP traffic matches IPSec filter rule FilterRule1.
  3. The FTP traffic is encapsulated and a new IP header is added with destination address 9.2.2.2.
  4. The encapsulated packet is routed based on the routes that are defined in route table FTPRTES. To successfully send the traffic, route table FTPRTES must also contain a route that is used to route to destination 9.2.2.2. Otherwise, the traffic would be sent by using the route that is found to destination 167.1.1.1. The success of the traffic depends on network connectivity.
Requirement: When a routing rule applies to traffic that is to be IPSec encapsulated and sent to a security gateway, the route tables that are associated with the routing rule and action must contain a route that can be used to reach the security gateway, as well as a route that can be used to reach the original destination.

For more information about IP security, see IP security.