[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: parallel vpns
Hi Sankar,
Comments follow quoted text...
Sankar Ramamoorthi wrote:
>
> Hi,
>
> An IPSec Architecture question.
> In the following network
>
> S1----- -----D1
> | |
> SG1 SG2
> | |
> S2_---- -----D2
>
> I have a setup where a pair of gateways SG1, SG2 are protecting
> hosts S1,S2 and D1,D2 respectively. I want to define 2 vpns
> VPN1, VPN1 where
>
> S1,D1 belong to VPN1
>
> S2,D2 belong to VPN2
>
> Does IPsec architecture allows for such policy defnitions?
> ie: multiple VPNs managed by a pair of gateways.
>
> If so
> Can the main mode characterstics for VPN1 and VPN2 be different?
> Are there any constraints on how they can be different?
>
> For example:
>
> VPN1 (main mode characterstics)
> DES, MD5, preshared authentication with secret1
>
> VPN2 (main mode characterstics)
> DES, MD5, preshared authentication wih secret2
>
> VPN1 and VPN2 are different only in the preshared secret used
> for authentication purposes.
>
> SG1 initiates an IKE request to SG2. How can SG2
> determine to which VPN the request belongs looking the SA
> request?
>
> If SG2 were to pick the wrong VPN, then authentication will
> fail down the line and SG1 will not be able to complete
> the IKE exchange.
>
> I thought about using non-ip identifiers and having different phase 1
> identifiers
> for VPN1 and VPN2, but that leads to different set of problems.
>
> What am I missing?
>
> Thanks for any input.
>
> -- sankar --
Use agressive mode, with ID_KEY_ID payload to identify the preshared
key.
Scott
References: