[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: inbound policy verification



Hi,

Richard Draves writes:
> Lewis, I don't understand one aspect of your proposed work-around for my
> example. If the administrator creates separate policies in the inbound SPD
> for each of the hosts X2, Y2, Z2, etc in network N2, then won't this mean
> that each of the hosts will need a different SA to send packets to H1?
> Whereas in my example, all the hosts in N2 (except H2) could share an SA.
> (Using "take-from-policy" for the source address selector with value N2 in
> the second policy in the inbound SPD.)

Right.
This can be mitigated to some extent by specifying multiple hosts in a single
selector using a _SUBNET or _RANGE ID Type (c.f. the IPsec DOI). But I agree 
it would be convenient to be able to specify a more or less arbitrary set of 
"atomic" IDs as the selector for a single SA. See the recent/current thread
with Subject: Re: multiple payloads via "ID_LIST"
for discussion of work on this issue.

> Thanks,
> Rich

-Lewis