[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: parallel vpns
Hi Sankar,
This is similar to some discussion on ipsra mailing list while ago.
It is possible to have different IKE policies between two SGs.
And possible only with different IDs. If you want to use preshared key,
then aggressive mode is only solution. In case of signatures, you still
can
use main mode. See VIPUL GUPTA draft which was posted in ipsra mailing
list.
Regards
Srini
Sankar Ramamoorthi wrote:
> Hi,
>
> An IPSec Architecture question.
> In the following network
>
> S1----- -----D1
> | |
> SG1 SG2
> | |
> S2_---- -----D2
>
> I have a setup where a pair of gateways SG1, SG2 are protecting
> hosts S1,S2 and D1,D2 respectively. I want to define 2 vpns
> VPN1, VPN1 where
>
> S1,D1 belong to VPN1
>
> S2,D2 belong to VPN2
>
> Does IPsec architecture allows for such policy defnitions?
> ie: multiple VPNs managed by a pair of gateways.
>
> If so
> Can the main mode characterstics for VPN1 and VPN2 be different?
> Are there any constraints on how they can be different?
>
> For example:
>
> VPN1 (main mode characterstics)
> DES, MD5, preshared authentication with secret1
>
> VPN2 (main mode characterstics)
> DES, MD5, preshared authentication wih secret2
>
> VPN1 and VPN2 are different only in the preshared secret used
> for authentication purposes.
>
> SG1 initiates an IKE request to SG2. How can SG2
> determine to which VPN the request belongs looking the SA
> request?
>
> If SG2 were to pick the wrong VPN, then authentication will
> fail down the line and SG1 will not be able to complete
> the IKE exchange.
>
> I thought about using non-ip identifiers and having different phase 1
> identifiers
> for VPN1 and VPN2, but that leads to different set of problems.
>
> What am I missing?
>
> Thanks for any input.
>
> -- sankar --
References: