[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Selection of proposals
Hi All,
The scenario I sent in yesterday didnt give all the details and I am
modifying it to give the exact scenario...
If we have SG1, SG2 and IPSec capable host H2 in the following
scenario,
|--------ESPtunnel---- |
| |
SG1 ----------------- SG2 ----------- H2
| |
|------------------AH Tunnel-----------|
and the security policies are as follows.
At SG1 OutBound Policy is
Proposal #1:
For SG2 : ESP with 3DES
or ESP with DES
For H2 : AH with SHA1
or AH with MD5
At SG2 we have the Inbound Policy as
Proposal # 1 :
ESP with 3DES
or ESP with DES
H2 has the inbound policy as
Proposal # 1:
AH with MD5
During IKE negotiation, SG1 sends out the SAPayload(with the two
transforms it has) to SG2 and H2. SG2 will select Transform #1 of SG1 and
H2 will select Transform # 2 of SG1. Because of this, an SA bundle that
perfectly matches the proposal cannot be formed by SG1. However, SG2 is
capable of processing with DES and had SG2 selected this, it could have
formed an SA bundle at SG1.
Do we just reject the proposal at this stage or is it permitted to send the
two transforms as different proposal payloads in independent SA payloads
and try to see if a match can be found amongst all available proposals? The
problem here is, of course, the fact that H2 and SG2 look at the individual
and independent SPDs while SG1 looks at the combined SA bundle.
Any suggestions will be appreciated.
-Thanks a lot
Rohit
Follow-Ups: