Re: parallel vpns

["Scott G. Kelly" <skelly@redcreek.com>]

Hi Sankar, 

Comments follow quoted text...

Sankar Ramamoorthi wrote:
> 
> Hi,
> 
> An IPSec Architecture question.
> In the following network
> 
>         S1-----            -----D1
>                 |         |
>                 SG1     SG2
>                 |         |
>         S2_----            -----D2
> 
> I have a setup where a pair of gateways SG1, SG2 are protecting
> hosts S1,S2 and D1,D2 respectively. I want to define 2 vpns
> VPN1, VPN1 where
> 
> S1,D1 belong to VPN1
> 
> S2,D2 belong to VPN2
> 
> Does IPsec architecture allows for such policy defnitions?
> ie: multiple VPNs managed by a pair of gateways.
> 
> If so
> Can the main mode characterstics for VPN1 and VPN2 be different?
> Are there any constraints on how they can be different?
> 
> For example:
> 
>         VPN1 (main mode characterstics)
>                 DES, MD5, preshared authentication with secret1
> 
>         VPN2 (main mode characterstics)
>                 DES, MD5, preshared authentication wih secret2
> 
> VPN1 and VPN2 are different only in the preshared secret used
> for authentication purposes.
> 
> SG1 initiates an IKE request to SG2. How can SG2
> determine to which VPN the request belongs looking the SA
> request?
> 
> If SG2 were to pick the wrong VPN, then authentication will
> fail down the line and SG1 will not be able to complete
> the IKE exchange.
> 
> I thought about using non-ip identifiers and having different phase 1
> identifiers
> for VPN1 and VPN2, but that leads to different set of problems.
> 
> What am I missing?
> 
> Thanks for any input.
> 
> -- sankar --


Use agressive mode, with ID_KEY_ID payload to identify the preshared
key.

Scott

---

References:

• parallel vpns
• From: Sankar Ramamoorthi <Sankar@vpnet.com>

---

• Prev by Date: parallel vpns
• Next by Date: RE: parallel vpns
• Prev by thread: parallel vpns
• Next by thread: Re: parallel vpns
• Index(es):
  • Main
  • Thread