[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: parallel vpns
>On Fri, 09 Jul 1999 15:28:22 PDT you wrote
>>
>> Correct me if I am wrong.
>> Isn't the identity always sent as part of first message to Radius server
>> which then could be used by the Radius Server to pick the right token
card?
>> If I have two different token cards, I would probably use two
>> different identities.
>
>Use two different identities with IKE then. ID_KEY_ID can be used for this
>purpose if you have to use pre-shared keys. If you don't then it doesn't
>matter as the public key used in authentication can be identified with
other
>valid phase 1 IDs.
>
>> >question is why do you want to do this? The IKE SA is just used to
protect
>> >IKE traffic. You can use the same IKE SA to generate IPSec SAs for
S1->D1
>> >and S2->D2. Do Quick Mode with PFS if you're worried about the keys
being
>> >related.
>> >
>> > Dan.
>>
>> I was hoping to allow differnt policy definitions (vpns)
>> including IKE parameters (crypto algorithms, rekeying time,
>> authentication method, authentication parameters..)
>> thereby allowing different security definitions for
>> different peer groups.
>
>Why? Aren't the "security definitions" of "peer groups" done with IPSec
>policy? How do different IKE crypto algorithms or IKE authentication
methods
>change that? If you want to do Blowfish and HMAC-RIPEMD to protect traffic
>from S1 to D1 then it doesn't matter whether the IKE SA was authenticated
>with El-Gamal or encrypts its messages with CAST.
>
> Dan.
>
I guess it depends on how you want to view 'policy definition' of peer
groups. In my case I wanted to include both the IPSec policy and
IKE policy.
The recommendations are to use multiple ID_KEY_ID type phase1 id's
(from you and Scott) or use different udp ports for different IKE
SAs (from tamir).
-- sankar --