Re: mutiple phase 1 tunnel and proxy ID issues

[Will Fiveash <will@austin.ibm.com>]

On Tue, May 26, 1998 at 04:29:03PM -0400, Roy Pereira wrote:
> For a mobile client, its phase 1 ID will be something like an email
> address since its IP address is not static.  For its phase 2 ID though,
> it will need to send an IP address.  This IP address is its dynamically
> assigned IP address that it received through PPP, DHCP, ISAKMP-CFG or
> any other means.  The trick is that the gateway must be able to remember
> the phase 1 ID to get policy for the phase 2 negotiation.

This brings up a question I've had and haven't seen answered yet.  Can
IDii be used by the responder to determine which security policy to use
in Phase 1 if aggressive mode is used?  Note that in main mode, the
source IP address in the header of the first message must be used by the
responder to locate the security policy/proposal list with which to
negotiate.  This leads to ambiguity on the responder side when trying to
create multiple P1 tunnels between the same two hosts (is this
negotiation creating a new P1 tunnel or is it a SA refresh for an
existing P1 tunnel?).  If IDii can be used (are others doing this?) in
aggressive mode and the IDii's are unique for each P1 tunnel then the
responder can unambiguously determine which security policy to use and
whether the negotiation is "refreshing" an existing P1 tunnel.

-- 
Will Fiveash    
IBM AIX System Development        Internet: will@austin.ibm.com
11400 Burnet Road, Bld.905/9551   Notes: will@austin.ibm.com@internet
Austin, TX 78758-3493  Phone:(512) 838-7904(off)/3509(fax), T/L 678-7904

---

References:

• RE: mutiple phase 1 tunnel and proxy ID issues
• From: Roy Pereira <rpereira@TimeStep.com>

---

• Prev by Date: RE: IPCOMP and IPSEC
• Next by Date: Reasonable lifetimes for IPSec and IKE ??
• Prev by thread: Re: mutiple phase 1 tunnel and proxy ID issues
• Next by thread: Re: mutiple phase 1 tunnel and proxy ID issues
• Index(es):
  • Main
  • Thread