Re: Is tunnel IP address included in SA?

[Daniel Harkins <dharkins@cisco.com>]

  Hi Motonori,

> Let's suppose the following network:
> 
>       |                               |
>  PC1 -+                               +- PC2
>       |         (Internet)            |
>       +-- R1 --- ......... --- R2 ----+
>       |                               |
> 
> Assume that R1 and R2 can do IPsec while PC1 and PC2 can't. PC1 sends
> an IP datagram to PC2. 
> 
> In this case, 
> 
>  (1) R1 has to have an SA associated with PC2, right?

No, if PC2 doesn't do IPSec then the tunnel endpoint is R2. R1 and R2 share
SAs.

>  (2) Must AH and ESP be handled in tunnel mode?

Yes.

>  (3) How can one figure out the tunnel IP address for a paticular
>      destination address? Is Tunnel IP address included in SA?

If you're using ISAKMP/Oakley to negotiate the SAs the identities are
passed in the Quick Mode exchange. Note that the actual identity depends
on the configuration of R1. R1 could use proxy IDs with subnet 1 (where PC1
resides) and subnet 2 (where PC2) resides; he could use the actual IP
addresses of PC1 and PC2; or, he could use even more granularity-- he
could use the actual IP address and also specifiy the protocol and port of the
service that PC1 is attempting on PC2.

As I said, it all depends on the config on R1 but it's possible to say that
all telnet sessions from PC1 to PC2 get a unique SA, all ftp's from a host
on subnet 1 to  a host on subnet 2 share another, and everybody else
shares a "catch-all" SA.

 Dan.

---

Follow-Ups:

• Re: Is tunnel IP address included in SA?
• From: Motonori Shindo <mshindo@ascend.co.jp>

References:

• Is tunnel IP address included in SA?
• From: Motonori Shindo <mshindo@ascend.co.jp>

---

• Prev by Date: Re: IPSEC and NAT
• Next by Date: Re: IPSEC and NAT
• Prev by thread: Is tunnel IP address included in SA?
• Next by thread: Re: Is tunnel IP address included in SA?
• Index(es):
  • Main
  • Thread