Re: SA sharing question

[Cliff Wang <cxwang@us.ibm.com>]

Dan,

Seems to me it  is a policy issue. When packet from
a1 to b1 triggers the IKE negotiation, if IDci=a1
and IDcr=b1, that SA can never be shared by a2-b2.
Only when IDci=SUBnet A IDcr=Subnet B,  that SA
can be used by any traffic between A and B. For
that case, the SA is defined to be used for the
whole subnet..  However, I guess whether to use
host a1-b1 or subnet A -B in the IDci/IDcr for the
first SA is a local policy issue.
thanks,
cliff


dharkins@cisco.com on 05/28/98 12:07:02 PM
Please respond to dharkins@cisco.com
To: Cliff Wang/Raleigh/IBM@ibmus
cc: ipsec@tis.com
Subject: Re: SA sharing question


  Cliff,

  Yes, it can share the SA. This is done by having GW1 specify
phase 2 subnet identities. The packet from a1 to b1 will trigger
an IKE negotiation and if the phase 2 identities were net-a to
net-b (instead of address a1 to address b1) then when the
packet from a2 to b2 reached GW1 it would use the existing SA.

  Dan.

> GW1 and GW2 are gateways negotiating
> IPsec SAs for hosts behind them.
>
> Suppose an IPsec SA has been set up between host
> a1 and b1. Later a2 and b2 need to have a SA
> for traffic protection. Of course a2 and b2 can
> negotiate a new SA through GW1 and GW2.
> If SA sharing is intended, can the first SA
> between a1 and b1 be used for traffic between
> a2 and b2 without a new SA? How to negotiate
> this SA sharing?
>
> a1 ---|                                            |---  b1
>           |--GW1  ----------- GW 2--|
> a2 ---|                                            |---  b2
>
> Thanks!
>
> Cliff Wang
> IBM, cxwang@us.ibm.com

---

• Prev by Date: RE: SPI question
• Next by Date: Re: mutiple phase 1 tunnel and proxy ID issues
• Prev by thread: Re: SA sharing question
• Next by thread: FW: IPCOMP and IPSEC
• Index(es):
  • Main
  • Thread