[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proxy IDs and Tunnel mode Question



I ran into an interesting case of this recently.  If the intiator sends
client IDs, and then the responder does *not* send client IDs presumably
because they would have been identical to the initiator's or identical
to the Phase 1 IDs.  This would seem to be a protocol violation,
correct?  If the initiator sends client IDs, it would seem that the
responder should also always send client IDs.


Dan Harkins wrote:
> 
> On Mon, 15 Feb 1999 18:04:17 EST Andrew Sweeney wrote
> >
> >     I am running a test to ipsec-wit.antd.nist.gov. I am running in
> > tunnel mode and I am not getting Proxy IDs sent to me during the Quick
> > mode negotiation. It was my understanding that the proxy IDs are
> > required in tunnel mode, how else do you know what net you are actually
> > tunneling to.
> 
> They're not required and if you're the initiator and you didn't send
> them then you shouldn't expect them.
> 
> >     What happens in the case of a host running tunnel mode? Do you just
> > assume that if there is no proxy ID's and you are in tunnel mode then
> > this a host and not a gateway?
> 
> Section 5.5 of RFC2409 says:
> 
>   "The identities of the SAs negotiated in Quick Mode are implicitly
>    assumed to be the IP addresses of the ISAKMP peers, without any
>    implied constraints on the protocol or port numbers allowed, unless
>    client identifiers are specified in Quick Mode."

-- 
Will Price, Architect/Sr. Mgr., PGP Client Products
Total Network Security Division
Network Associates, Inc.
<pgpfone://cast.cyphers.net>


References: