[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Non-IP type Client IDs

To: Mike Williams <mikewill@ibm.net>
Subject: Re: Non-IP type Client IDs
From: Joern Sierwald <joern.sierwald@datafellows.com>
Date: Fri, 20 Aug 1999 17:51:49 +0300
Cc: ipsec@lists.tislabs.com
In-Reply-To: <37BD4D00.702D4206@ibm.net>
References: <3.0.5.32.19990820102206.00be0e60@smtp.datafellows.com>
Sender: owner-ipsec@lists.tislabs.com

At 08:41 20.8.1999 -0400, Mike Williams wrote:
>See my comments below.
>
>Mike Williams
>IBM Corporation
>
>
>Joern Sierwald wrote:
>
>> The use of Phase 2 IDs is indeed a bit unclear and implementations
>> use them differently.
>>
>> In my opinion, phase 2 IDs should be limited to the IP address types:
>>   IPSEC_ID_IPV4_ADDR                    = 1,
>>   IPSEC_ID_IPV4_ADDR_SUBNET             = 4,
>>   IPSEC_ID_IPV6_ADDR                    = 5,
>>   IPSEC_ID_IPV6_ADDR_SUBNET             = 6,
>>   IPSEC_ID_IPV4_ADDR_RANGE              = 7,
>>   IPSEC_ID_IPV6_ADDR_RANGE              = 8,
>>
>> If you are a mobile user, you send your current IP address as IDci.
>> The gateway has to remember the source address of the ISAKMP packets
>> and compares that with IDci. If they match, the SA is allowed.
>>
>
>I don't believe that this is a valid check.  The responder in this case
>has no way of knowing that the initiator is a client.  
Why not? Phase 1 is finished. You have the phase 1 ID, which is USER@FQDN
or ASN1_DN. 

>Making this check
>would prevent the initiator from ever being a gateway.  
Yes. That's the point. You don't want mobile users to be gateways.

>It is valid for
>IDci to be different than the IP address of the initiating IKE system
>when the initiator is a gateway.
Well, sure. Your GW policy says "remote ID (phase 1) 100.100.100.100 
is a gateway, the LAN behind it is 100.100.101.0/24" 
and "remote ID me@somewhere is a client".
I perform the abovementioned "ISAKMP IP address == IDci" test only
for the client, right?
100.100.100.100 will send a subset of 100.100.101.0/24 as IDci.

>
>>
>> Problem remains, what to do with NAT between two IPsec hosts.
>> Now the IDci and the source IP address of ISAKMP packets never
>> match. Using USER_FQDN would indeed solve this, but I'd rather
>> assign a fixed private IP address for the client, so the IDci
>> is always 192.168.7.9, no matter from where he dials in.
>> Or use cfg-mode.
>>
>
>Without using something like USER_FQDN or KEYID, how can you have
>different phase 2 policies for different remote users.  
For mobile users, I use USER@FQDN or ASN1_DN in phase 1 with aggressive mode.

>I also believe
>that there are many cases when you will not be able to assign a fixed
>private IP address to the client.  Config Mode does help, but I don't
>know why we should preclude other options.

Well, I don't recommend cfg-mode, you can usually live without it.

Jörn

References:

Re: Non-IP type Client IDs

From: Joern Sierwald <joern.sierwald@datafellows.com>

Re: Non-IP type Client IDs

From: Mike Williams <mikewill@ibm.net>

Prev by Date: Re: Non-IP type Client IDs
Next by Date: Re: Non-IP type Client IDs
Prev by thread: Re: Non-IP type Client IDs
Next by thread: RE: Non-IP type Client IDs
Index(es):
- Main
- Thread