[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
mutiple phase 1 tunnel and proxy ID issues
I have the following questions on ISAKMP/IPsec:
1)Multiple Phase 1 tunnels between a pair of ISAKMP
entities.
Suppose GW1 and GW2 are ISAKMP peers and are
configured with security policies. If multiple Phase 1
SAs are established between them, and assuming
the IDii and IDir are the same for each of the Phase 1
SAs. When a phase 2 SA needs to be negotiated,
how to decide which phase 1 SA to use? A related
question is do we really need multiple phase 1 SAs
between the same pair of ISAKMP peers?
2) Phase 1 ID
Suppose the ISAKMP engine is on a multi-homed
host, such as a router, which can talk with multiple
peers of different subnet, do we need different local IDs
for each subnet ? Is there an advantage to use
different IDs for different subnet or just use one ID for
every peer?
On the hand, when the ISAKMP engine is an end host
with one IP address, do we need more than one
local IDs when he talks to the same peer or just one
local ID?
I think this boils down the policy configuration in terms
how much granuality is given to the phase 1 policy
setup. I would appreciate feedbacks based on
implementation experience.
3)Phase 2 Proxy ID
For Phase 2 negotiation, the ID payload can be of
type "fully qualified user name string", such as
piper@foo.com. Even we can negotiated the phase 2
SA successfully, the negotiated SA can not be used
to protect packets until the user name is turned into
some IP address(host, range, subnet). How do we
solve this user name to IP address mapping? Assuming
the user is mobile, this mapping can be quite dynamic.
Thanks!
Cliff Wang
IBM
cxwang@us.ibm.com
919 486 1255
Follow-Ups: