IPSec Filter Question

I'm working on a server with 2 nics and trying to implement a fairly simple
IPSec filter.

Nic1 faces the network (172.16.8.131/255.255.248.0)
Nic2 faces a private customer network (172.17.88.2/255.255.255.0) with 2
client PCs with 172.17.88.50 and .51 addresses.

I have created two filters. The first blocks any traffic from a subnet
(172.17.88.0/255.255.255.0) to another subnet (172.16.0.0/255.255.0.0) This
filter works beautifully, I cannot reach anything on the 172.16.x.x network
from the 172.17.88.x subnet PCs

The second filter PERMITS any traffic from the subnet 172.17.88.0 to a
specific IP address of 172.16.8.152.

As the second filter is more specific, I would have expected traffic to be
able to pass to 172.16.8.152 because this filter will be encountered first.
However, I cannot get to 172.16.8.152 no matter what I do from any client
PCs on the 172.17.88.x subnet.

However, if I change the second filter to PERMIT traffic from the subnet
172.17.88.0 to the 172.16.8.0 subnet, I can get to 172.16.8.152 from the
172.17.88.x subnet client PCs just fine.

I just can't figure out why using the more specific filter (PERMIT to only
172.16.8.152) doesn't work, yet a less-specific PERMIT filter (to
172.16.8.0) does work?

I have enabled IPSec event logging, and I am getting nothing there in regard
to these packets being dropped. I have enabled Performance Monitor, and I
see the count of Datagrams Received Discarded go up every time I try to
access the server at 172.16.8.152.

Thanks for any ideas or help on this, it's driving me nuts!

If the clients from 172.17.88.x needs to access 172.16.8.x they pass
the server at 172.16.8.131 because that should be the way they are
routed... What happens if you allow traffic to 172.16.8.131 together
with 172.16.8.152.

Michel

Chupacabra schreef:

> I'm working on a server with 2 nics and trying to implement a fairly simple
> IPSec filter.
>
> Nic1 faces the network (172.16.8.131/255.255.248.0)
> Nic2 faces a private customer network (172.17.88.2/255.255.255.0) with 2
> client PCs with 172.17.88.50 and .51 addresses.
>
> I have created two filters. The first blocks any traffic from a subnet
> (172.17.88.0/255.255.255.0) to another subnet (172.16.0.0/255.255.0.0) This
> filter works beautifully, I cannot reach anything on the 172.16.x.x network
> from the 172.17.88.x subnet PCs
>
> The second filter PERMITS any traffic from the subnet 172.17.88.0 to a
> specific IP address of 172.16.8.152.
>
> As the second filter is more specific, I would have expected traffic to be
> able to pass to 172.16.8.152 because this filter will be encountered first.
> However, I cannot get to 172.16.8.152 no matter what I do from any client
> PCs on the 172.17.88.x subnet.
>
> However, if I change the second filter to PERMIT traffic from the subnet
> 172.17.88.0 to the 172.16.8.0 subnet, I can get to 172.16.8.152 from the
> 172.17.88.x subnet client PCs just fine.
>
> I just can't figure out why using the more specific filter (PERMIT to only
> 172.16.8.152) doesn't work, yet a less-specific PERMIT filter (to
> 172.16.8.0) does work?
>
> I have enabled IPSec event logging, and I am getting nothing there in regard
> to these packets being dropped. I have enabled Performance Monitor, and I
> see the count of Datagrams Received Discarded go up every time I try to
> access the server at 172.16.8.152.
>
> Thanks for any ideas or help on this, it's driving me nuts!

"Michel" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...

> If the clients from 172.17.88.x needs to access 172.16.8.x they pass
> the server at 172.16.8.131 because that should be the way they are
> routed... What happens if you allow traffic to 172.16.8.131 together
> with 172.16.8.152.

Good idea, but it didn't work. I just tried adding that filter with a
Permit, but I still cannot access 172.16.8.152 from any of my workstations
on the 172.17.88.x subnet.