IPsec SA establishment through ISAKMP

[Titus Peedikayil <titus@routerware.com>]

I would like some clarification on the following thoughts. I have
assumed that each host has seperate OUTBOUND and INBOUND SADs. They also
have seperate OUTBOUND and INBOUND SPDs.

i) When a host A sends an ISAKMP proposal payload to host B, would not
the proposals be based on the INBOUND IPsec policy (SPD) on host A
(since IPsec SAs are receiver-oriented)? And since the SPIs for the
proposals are determined by the protocols supported on host A, the tuple
<destination address, ipsec protocol, SPI> will be unique on host A.

ii) If (i) is correct, then B chooses a proposal based on the OUTBOUND
IPsec policy (SPD) and returns it in its reply (proposal payload). This
proposal represents the IPsec processing (or transforms) that B applies
when it sends data packets to A. So B would create an SA with the
selected proposal in the OUTBOUND SAD.

iii) If (i) is correct, then steps (i) and (ii) only achieves secure
communication from B to A. If B too were to initiate a proposal payload,
then communication could be secured from A to B also just like in (i)
and (ii). But if the ISAKMP on B does not initiate a proposal payload,
is there some way for A to force it?


Thanks

Titus.

---

Follow-Ups:

• Re: IPsec SA establishment through ISAKMP
• From: Kai Martius <admin@imib.med.tu-dresden.de>

---

• Prev by Date: Re: IPSEC tunnels and Mobile IP
• Next by Date: Re: IPSEC tunnels and Mobile IP
• Prev by thread: IPSec policy
• Next by thread: Re: IPsec SA establishment through ISAKMP
• Index(es):
  • Main
  • Thread