[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Automatic SPD Entry Creation for Remote Access IPSEC Clients
Hi Steve,
You posted a message to the IPSEC list (a while ago) that described
dynamic creation of new inbound SPD entries for remote access clients
with dynamically assigned addresses. (I.e. addresses unknown to the
local system). Your rationale was that you needed to the new SPD entry
to provide the final validation check for inbound packet processing.
Is this always necessary?
For example, please assume my inbound SPD states all UDP port 1701
(L2TP) traffic from _ANY_ address must be encrypted using Transport
mode ESP(3DES-SHA). Also assume that SPD entry requires SAD element
derivation (creation) using the addresses, ports, etc from the packet.
(This derivation mechanism is discussed on pages 14-15 of RFC 2401).
As multiple remote peers establish SA's, each of their SAD entries
is created using their source IP address as defined by the IKE
phase 2 identity. (I'm getting fuzzy here so please correct me if
I'm wrong on this). All of those SAD entries are bound to the
single SPD which contained the _ANY_ source address wildcard value.
Is this an acceptable alternative to dynamically creating SPD
entries?
Perhaps I can answer my own question. The specific packet that triggered
the SA creation is not known in the _responding_ system therefore
there is insufficient information to create the SAD element. That is
why you recommended waiting until the first IPSEC packet arrives and then
creating the SPD entry from that.
Could you create the SAD entry and bind it to the wildcard source
address SPD entry instead?
-Ben McCann
--
---
Ben McCann Indus River Networks
31 Nagog Park
Acton, MA, 01720
email: bmccann@indusriver.com web: www.indusriver.com
phone: (978) 266-8140 fax: (978) 266-8111
Follow-Ups: