[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: parallel vpns

To: "'Dan Harkins'" <dharkins@network-alchemy.com>, Sankar Ramamoorthi <Sankar@vpnet.com>
Subject: RE: parallel vpns
From: Sankar Ramamoorthi <Sankar@vpnet.com>
Date: Fri, 9 Jul 1999 15:28:22 -0700
Cc: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com

>From: Dan Harkins [dharkins@Network-Alchemy.COM]
>Sent: Friday, July 09, 1999 10:27 AM
>To: Sankar Ramamoorthi
>Cc: 'ipsec@lists.tislabs.com'
>Subject: Re: parallel vpns 
>
>On Wed, 07 Jul 1999 09:48:48 PDT you wrote
>> 
>> Hi,
>> 
>> An IPSec Architecture question.
>> In the following network
>> 
>> 
>> 	S1-----		   -----D1
>>                 |         |
>> 		SG1     SG2
>>                 |         |
>> 	S2_----		   -----D2
>> 
>> I have a setup where a pair of gateways SG1, SG2 are protecting
>> hosts S1,S2 and D1,D2 respectively. I want to define 2 vpns
>> VPN1, VPN1 where
>> 
>> S1,D1 belong to VPN1
>> 
>> S2,D2 belong to VPN2
>> 
>> Does IPsec architecture allows for such policy defnitions?
>> ie: multiple VPNs managed by a pair of gateways.
>> 
>> If so
>> Can the main mode characterstics for VPN1 and VPN2 be different?
>> Are there any constraints on how they can be different?
>> 
>> For example:
>> 
>> 	VPN1 (main mode characterstics)
>> 		DES, MD5, preshared authentication with secret1
>> 
>> 	VPN2 (main mode characterstics)
>> 		DES, MD5, preshared authentication wih secret2
>> 	
>> VPN1 and VPN2 are different only in the preshared secret used
>> for authentication purposes.
>
>The answer is no since there's nothing like a "cert req" payload for 
>pre-shared keys. That's like saying you have two identical token cards and
>how does your radius server know which one you're using? But the next 

Correct me if I am wrong.
Isn't the identity always sent as part of first message to Radius server
which then could be used by the Radius Server to pick the right token card?
If I have two different token cards, I would probably use two
different identities.

>question is why do you want to do this? The IKE SA is just used to protect 
>IKE traffic. You can use the same IKE SA to generate IPSec SAs for S1->D1
>and S2->D2. Do Quick Mode with PFS if you're worried about the keys being
>related.
>
>  Dan.

I was hoping to allow differnt policy definitions (vpns) 
including IKE parameters (crypto algorithms, rekeying time,
authentication method, authentication parameters..)
thereby allowing different security definitions for 
different peer groups.

-- sankar --

Follow-Ups:

Re: parallel vpns

From: Dan Harkins <dharkins@network-alchemy.com>

Prev by Date: Re: parallel vpns
Next by Date: Re: parallel vpns
Prev by thread: Re: parallel vpns
Next by thread: Re: parallel vpns
Index(es):
- Main
- Thread