[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SA sharing question

To: Cliff Wang <cxwang@us.ibm.com>
Subject: Re: SA sharing question
From: Daniel Harkins <dharkins@cisco.com>
Date: Thu, 28 May 1998 09:11:53 -0700
Cc: ipsec@tis.com
In-Reply-To: Your message of "Thu, 28 May 1998 12:05:33 EDT." <5040200015520088000002L082*@MHS>
Sender: owner-ipsec@ex.tis.com

  Cliff,

  Yes, it can share the SA. This is done by having GW1 specify 
phase 2 subnet identities. The packet from a1 to b1 will trigger
an IKE negotiation and if the phase 2 identities were net-a to
net-b (instead of address a1 to address b1) then when the 
packet from a2 to b2 reached GW1 it would use the existing SA.

  Dan.

> GW1 and GW2 are gateways negotiating
> IPsec SAs for hosts behind them.
> 
> Suppose an IPsec SA has been set up between host
> a1 and b1. Later a2 and b2 need to have a SA
> for traffic protection. Of course a2 and b2 can
> negotiate a new SA through GW1 and GW2.
> If SA sharing is intended, can the first SA
> between a1 and b1 be used for traffic between
> a2 and b2 without a new SA? How to negotiate
> this SA sharing?
> 
> a1 ---|                                            |---  b1
>           |--GW1  ----------- GW 2--|
> a2 ---|                                            |---  b2
> 
> Thanks!
> 
> Cliff Wang
> IBM, cxwang@us.ibm.com

References:

SA sharing question

From: Cliff Wang <cxwang@us.ibm.com>

Prev by Date: SA sharing question
Next by Date: RE: IPCOMP and IPSEC
Prev by thread: SA sharing question
Next by thread: Re: SA sharing question
Index(es):
- Main
- Thread