[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

No Subject

From: Boby_Joseph@3com.com
Date: Thu, 8 Jul 1999 08:42:15 -0400 (EDT)

Wed, 7 Jul 1999 13:04:44 -0700
X-Lotus-FromDomain: 3COM
To: Sankar Ramamoorthi <Sankar@vpnet.com>
cc: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
Message-ID: <882567A7.006E4876.00@hqoutbound.ops.3com.com>
Date: Wed, 7 Jul 1999 15:11:02 -0500
Subject: Re: parallel vpns
Mime-Version: 1.0
Content-type: text/plain; charset=us-ascii
Content-Disposition: inline
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

When using pre-shared key authentication with Main Mode the key can
only be identified by the IP address of the peers. If you use any other
authentication
methods you can have multiple VPNs as described in your mail.

Sent by:  Sankar Ramamoorthi <Sankar@vpnet.com>

To:   "'ipsec @lists.tislabs.com'" <ipsec@lists.tislabs.com>
cc:    (Boby Joseph/MW/US/3Com)
Subject:  parallel vpns

Hi,

An IPSec Architecture question.
In the following network

     S1-----           -----D1
                |         |
          SG1     SG2
                |         |
     S2_----           -----D2

I have a setup where a pair of gateways SG1, SG2 are protecting
hosts S1,S2 and D1,D2 respectively. I want to define 2 vpns
VPN1, VPN1 where

S1,D1 belong to VPN1

S2,D2 belong to VPN2

Does IPsec architecture allows for such policy defnitions?
ie: multiple VPNs managed by a pair of gateways.

If so
Can the main mode characterstics for VPN1 and VPN2 be different?
Are there any constraints on how they can be different?

For example:

     VPN1 (main mode characterstics)
          DES, MD5, preshared authentication with secret1

     VPN2 (main mode characterstics)
          DES, MD5, preshared authentication wih secret2

VPN1 and VPN2 are different only in the preshared secret used
for authentication purposes.

SG1 initiates an IKE request to SG2. How can SG2
determine to which VPN the request belongs looking the SA
request?

If SG2 were to pick the wrong VPN, then authentication will
fail down the line and SG1 will not be able to complete
the IKE exchange.

I thought about using non-ip identifiers and having different phase 1
identifiers
for VPN1 and VPN2, but that leads to different set of problems.

What am I missing?

Thanks for any input.

-- sankar --

Prev by Date: Re: linux-ipsec: ESP/AH tunnel mode= ESP/AH transport mode(IP in IP tunnel mode)?
Next by Date: Re: parallel vpns
Prev by thread: Re: linux-ipsec: ESP/AH tunnel mode= ESP/AH transport mode(IP in IP tunnel mode)?
Next by thread: No Subject
Index(es):
- Main
- Thread