[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Non-IP type Client IDs

To: ipsec@lists.tislabs.com
Subject: Re: Non-IP type Client IDs
From: Joern Sierwald <joern.sierwald@datafellows.com>
Date: Fri, 20 Aug 1999 10:22:06 +0300
In-Reply-To: <37BC5FBF.4CA45E41@ibm.net>
Sender: owner-ipsec@lists.tislabs.com

The use of Phase 2 IDs is indeed a bit unclear and implementations
use them differently.

In my opinion, phase 2 IDs should be limited to the IP address types:
  IPSEC_ID_IPV4_ADDR			= 1,
  IPSEC_ID_IPV4_ADDR_SUBNET		= 4,
  IPSEC_ID_IPV6_ADDR			= 5,
  IPSEC_ID_IPV6_ADDR_SUBNET		= 6,
  IPSEC_ID_IPV4_ADDR_RANGE		= 7,
  IPSEC_ID_IPV6_ADDR_RANGE		= 8,

If you are a mobile user, you send your current IP address as IDci.
The gateway has to remember the source address of the ISAKMP packets
and compares that with IDci. If they match, the SA is allowed.

Problem remains, what to do with NAT between two IPsec hosts.
Now the IDci and the source IP address of ISAKMP packets never
match. Using USER_FQDN would indeed solve this, but I'd rather
assign a fixed private IP address for the client, so the IDci
is always 192.168.7.9, no matter from where he dials in.
Or use cfg-mode.

Jörn

Follow-Ups:

Re: Non-IP type Client IDs

From: Mike Williams <mikewill@ibm.net>

References:

Non-IP type Client IDs

From: Mike Williams <mikewill@ibm.net>

Prev by Date: Re: Weak authentication in Xauth and IKE
Next by Date: From firewall to IPSec VPNs
Prev by thread: Non-IP type Client IDs
Next by thread: Re: Non-IP type Client IDs
Index(es):
- Main
- Thread