[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: parallel vpns
>From: Dan Harkins [dharkins@Network-Alchemy.COM]
>Sent: Friday, July 09, 1999 10:27 AM
>To: Sankar Ramamoorthi
>Cc: 'ipsec@lists.tislabs.com'
>Subject: Re: parallel vpns
>
>On Wed, 07 Jul 1999 09:48:48 PDT you wrote
>>
>> Hi,
>>
>> An IPSec Architecture question.
>> In the following network
>>
>>
>> S1----- -----D1
>> | |
>> SG1 SG2
>> | |
>> S2_---- -----D2
>>
>> I have a setup where a pair of gateways SG1, SG2 are protecting
>> hosts S1,S2 and D1,D2 respectively. I want to define 2 vpns
>> VPN1, VPN1 where
>>
>> S1,D1 belong to VPN1
>>
>> S2,D2 belong to VPN2
>>
>> Does IPsec architecture allows for such policy defnitions?
>> ie: multiple VPNs managed by a pair of gateways.
>>
>> If so
>> Can the main mode characterstics for VPN1 and VPN2 be different?
>> Are there any constraints on how they can be different?
>>
>> For example:
>>
>> VPN1 (main mode characterstics)
>> DES, MD5, preshared authentication with secret1
>>
>> VPN2 (main mode characterstics)
>> DES, MD5, preshared authentication wih secret2
>>
>> VPN1 and VPN2 are different only in the preshared secret used
>> for authentication purposes.
>
>The answer is no since there's nothing like a "cert req" payload for
>pre-shared keys. That's like saying you have two identical token cards and
>how does your radius server know which one you're using? But the next
Correct me if I am wrong.
Isn't the identity always sent as part of first message to Radius server
which then could be used by the Radius Server to pick the right token card?
If I have two different token cards, I would probably use two
different identities.
>question is why do you want to do this? The IKE SA is just used to protect
>IKE traffic. You can use the same IKE SA to generate IPSec SAs for S1->D1
>and S2->D2. Do Quick Mode with PFS if you're worried about the keys being
>related.
>
> Dan.
I was hoping to allow differnt policy definitions (vpns)
including IKE parameters (crypto algorithms, rekeying time,
authentication method, authentication parameters..)
thereby allowing different security definitions for
different peer groups.
-- sankar --
Follow-Ups: