IPSec packet forwarding flow on the USG5000

In the NGFW processing flow, the IPSec processing is after the NAT, route, and security policy processing, so that the firewall does not process, based on NAT policies, packets protected by the IPSec policies, and these packets can be delivered, by matching routes and security policies, to the interface that adopts the IPSec security policy. The specific requirements are as follows:
1. Packets arriving at the NGFW cannot match the server map table or reversed server map table established by the NAT server. Otherwise, destination addresses in the packets are translated.
2. Packets arriving at the NGFW cannot match the destination NAT policies. Otherwise, destination addresses in the packets are translated.
3. A route (generally the default route) destined for the IKE peer private network must exist in the routing table. The outbound interface of the route must apply the IPSec policies. If no route is matched, the packets are discarded; if the outbound interface matching the route does not apply the IPSec policies, the packets cannot be delivered to the IPSec processing module but are sent in plain text.
4. Generally, the IPSec VPN data flow is transmitted between zones. Therefore, the inter-zone packet filter function between the source zone (where the intranet interface resides) and the destination zone (where the external network interface that applies the IPSec policies resides) must be enabled. Otherwise, the packets are discarded.
5. The source NAT for the packets that pass the inter-zone packet filter policy check is optional. When the packets match the inter-zone NAT policies of the source NAT, the source addresses in the packets are translated. The source IP addresses after the translation are used to match the security ACL rules. The packets that do not match the inter-zone NAT policies are directly delivered to the IPSec processing module.
6. The packets arriving at the IPSec processing module can only be protected when they match the security ACL rules. Otherwise, the packets are discarded.

Other related questions:
How to assure forwarding of IPSec data flows on an AR
If you have more questions, you can seek help from following ways:
To iKnow To Live Chat To Google
Scroll to top