Re: parallel vpns

[Dan Harkins <dharkins@network-alchemy.com>]

On Wed, 07 Jul 1999 09:48:48 PDT you wrote
> 
> Hi,
> 
> An IPSec Architecture question.
> In the following network
> 
> 
> 	S1-----		   -----D1
>                 |         |
> 		SG1     SG2
>                 |         |
> 	S2_----		   -----D2
> 
> I have a setup where a pair of gateways SG1, SG2 are protecting
> hosts S1,S2 and D1,D2 respectively. I want to define 2 vpns
> VPN1, VPN1 where
> 
> S1,D1 belong to VPN1
> 
> S2,D2 belong to VPN2
> 
> Does IPsec architecture allows for such policy defnitions?
> ie: multiple VPNs managed by a pair of gateways.
> 
> If so
> Can the main mode characterstics for VPN1 and VPN2 be different?
> Are there any constraints on how they can be different?
> 
> For example:
> 
> 	VPN1 (main mode characterstics)
> 		DES, MD5, preshared authentication with secret1
> 
> 	VPN2 (main mode characterstics)
> 		DES, MD5, preshared authentication wih secret2
> 	
> VPN1 and VPN2 are different only in the preshared secret used
> for authentication purposes.

The answer is no since there's nothing like a "cert req" payload for 
pre-shared keys. That's like saying you have two identical token cards and
how does your radius server know which one you're using? But the next 
question is why do you want to do this? The IKE SA is just used to protect 
IKE traffic. You can use the same IKE SA to generate IPSec SAs for S1->D1
and S2->D2. Do Quick Mode with PFS if you're worried about the keys being
related.

  Dan.

---

References:

• parallel vpns
• From: Sankar Ramamoorthi <Sankar@vpnet.com>

---

• Prev by Date: RE: parallel vpns
• Next by Date: Taking AH to Draft Standard
• Prev by thread: Re: parallel vpns
• Next by thread: Re: parallel vpns
• Index(es):
  • Main
  • Thread