Re: parallel vpns

[Dan Harkins <dharkins@network-alchemy.com>]

On Fri, 09 Jul 1999 15:28:22 PDT you wrote
> 
> Correct me if I am wrong.
> Isn't the identity always sent as part of first message to Radius server
> which then could be used by the Radius Server to pick the right token card?
> If I have two different token cards, I would probably use two
> different identities.

Use two different identities with IKE then. ID_KEY_ID can be used for this 
purpose if you have to use pre-shared keys. If you don't then it doesn't
matter as the public key used in authentication can be identified with other 
valid phase 1 IDs.

> >question is why do you want to do this? The IKE SA is just used to protect 
> >IKE traffic. You can use the same IKE SA to generate IPSec SAs for S1->D1
> >and S2->D2. Do Quick Mode with PFS if you're worried about the keys being
> >related.
> >
> >  Dan.
> 
> I was hoping to allow differnt policy definitions (vpns) 
> including IKE parameters (crypto algorithms, rekeying time,
> authentication method, authentication parameters..)
> thereby allowing different security definitions for 
> different peer groups.

Why? Aren't the "security definitions" of "peer groups" done with IPSec
policy? How do different IKE crypto algorithms or IKE authentication methods
change that? If you want to do Blowfish and HMAC-RIPEMD to protect traffic
from S1 to D1 then it doesn't matter whether the IKE SA was authenticated
with El-Gamal or encrypts its messages with CAST.

  Dan.

---

Follow-Ups:

• Re: parallel vpns
• From: Tamir Zegman <zegman@checkpoint.com>

References:

• RE: parallel vpns
• From: Sankar Ramamoorthi <Sankar@vpnet.com>

---

• Prev by Date: RE: parallel vpns
• Next by Date: Re: parallel vpns
• Prev by thread: RE: parallel vpns
• Next by thread: Re: parallel vpns
• Index(es):
  • Main
  • Thread