[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SA selectors
Hello!
I have a question concerning the SA selectors:
RFC 2401 requires support for the following SA selectors:
- single source/dest address
- source/dest address range
- source/dest subnet with netmask
- wildcard for source/dest address
Does anyone support an SA to have multiple of these selector values at
the same time?
This is mainly a configuration issue:
consider a huge corporate network and a policy affording the traffic of
some selected machines to be protected with ipsec when traversing the
internet to some remote site, protected by a security gateway.
This would result in as many entries in the SAD as there are machines
which must be protected. It would be much easier to configure
-especially with manual keying- and much easier to monitor, if this
setup would result in only one SA (which defines the same security
parameters for all machines).
All comments appreciated!
Thanks,
Michael.
Follow-Ups: