[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: use of client IDs

To: Daniel Harkins <dharkins@cisco.com>, Bryan Gleeson <BGleeson@shastanets.com>
Subject: RE: use of client IDs
From: Bryan Gleeson <BGleeson@shastanets.com>
Date: Fri, 19 Jun 1998 17:12:44 -0700
Cc: Pyda Srisuresh <suresh@livingston.com>, skelly@redcreek.com, ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

Dan,

> In my opinion it would be bad for Z to have related policy 
> (which would 
> allow it to accept this negotiation) since it would require 
> every single 
> packet sent to it and sent from it to go through this box. 
> And that is not 
> realistic.

An SA is a simplex connection, and assymetric routes are not
uncommon. If a box accepts packets from a source IP address of 
"any", that arrive over an SA, it should not imply that the
box has only one default route for sending packets, which all
packets must follow, and which has a nexthop IP address of the
other end of the SA.

I think I now see where some of the confusion lies however.
If I have two routers, and a GRE or L2TP tunnel between them,
and I want to secure the GRE or L2TP tunnel with IPSEC, then 
the Quick Mode exchange needed to set up the SA does not need 
to include the client ID, because in this case the router is 
acting as a virtual host, and is not proxying for anyone. 
Is this correct ?

Bryan

Follow-Ups:

Re: use of client IDs

From: Daniel Harkins <dharkins@cisco.com>

Prev by Date: Re: use of client IDs
Next by Date: Multiple Certificate Request Payloads
Prev by thread: Re: use of client IDs
Next by thread: Re: use of client IDs
Index(es):
- Main
- Thread