[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SA selectors
Michael,
>I have a question concerning the SA selectors:
>
>RFC 2401 requires support for the following SA selectors:
>- single source/dest address
>- source/dest address range
>- source/dest subnet with netmask
>- wildcard for source/dest address
>
>Does anyone support an SA to have multiple of these selector values at
>the same time?
>
>This is mainly a configuration issue:
>consider a huge corporate network and a policy affording the traffic of
>some selected machines to be protected with ipsec when traversing the
>internet to some remote site, protected by a security gateway.
>This would result in as many entries in the SAD as there are machines
>which must be protected. It would be much easier to configure
>-especially with manual keying- and much easier to monitor, if this
>setup would result in only one SA (which defines the same security
>parameters for all machines).
I'm a bit puzzled by the question. An SPD entry cannot have multiple values
for the same selector, but the widlcard, range, and netmask facilities
allow multiple sets of specific values to map to the same SPD entry and, if
desired, to the same SA. Is this what you were asking about?
Steve
References: