[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: No Subject

To: ipsec@tis.com
Subject: Re: No Subject
From: Joern Sierwald <joern.sierwald@datafellows.com>
Date: Tue, 19 Jan 1999 22:32:34 +0200
In-Reply-To: <70C20C1647EBD11183F800805FA67B43011394@vpnet.com>
Sender: owner-ipsec@ex.tis.com

At 11:43 19/01/99 -0800, you wrote:
>
>Hi,
>
>I ran into an interoperability situation between 2 ipsec implementations
>when the
>customer tried to set up 2 networks behind a security gateway as part of the
>same vpn.
>
>network1 -----
>                    |
>                   SG1----x             x--SG2--- peer network
>                    |
>networks -----
>

In a QM negotiation, you use IDs to specify the networks that are
supposed to talk to each other. That could be 
192.168.1.0/24 (behind SG1) and 192.168.2.0/24 (behind SG2).
I would be very surprised if the resulting SA was used for something else
than traffic between these networks. 

If SG1 really sends data from 192.168.3.0/24 through that SA,
I'd say that this implementation is faulty.

You need several SAs here. And if each SG has 10 subnets, there will
be 100 SAs. A possible workaround would be to do QM with 0.0.0.0/0 
IDs and some policy-based filtering.

If you want the most interoperable approach: 
When sending packets, mind the QM IDs used to create the SA.
When receiving packets, you could invent a policy setting to
allow traffic that does not match the IDs. You could. I don't
say that you should.

Jörn

Follow-Ups:

Re: No Subject

From: Stephen Kent <kent@bbn.com>

References:

No Subject

From: Sankar Ramamoorthi <Sankar@vpnet.com>

Prev by Date: No Subject
Next by Date: Where are IPSec Conformance Test Sites
Prev by thread: No Subject
Next by thread: Re: No Subject
Index(es):
- Main
- Thread