[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Phase 2 ID's for different VPN's with different Address Space
I have an interesting problem, and I am hoping that someone on the list
can help with the solution.
I am implementing a sgw that has many physical interfaces (T1, T3, etc.)
to different private networks. Each private network has its own address
space. A very simple architecture looks like this:
VPN 1, site A VPN 1, site B
-------+ +------+ +------+ +-------
| | | | | |
+--------+ | | +--------+
| GW A +----------+ GW B |
+--------+ | | +--------+
| | | | | |
-------+ +------+ +------+ +-------
VPN 2, site A VPN 2, site B
My thinking is, I do a phase 1 IKE between GW A and GW B.
To set up the ESP tunnel for VPN 1, I do a phase 2 IKE between GW A and
GW B, using PFS. I do another similar phase 2 exchange for VPN 2 to set
up the ESP tunnel for this VPN.
Question: how do I identify that my clients are a particular VPN?
I can't use ID_IPV4_ADDR_SUBNET, since each VPN has its own address
space.
I could use ID_FQDN, but then I couldn't specify the IP addresses (plus
it's ugly). What I'd really like is to specify a 32-bit VPN identifier,
along with the IP subnet and transport port. Can I do this without
defining new ID types?
I could use ID_KEYID, but it really doesn't identify a key, and, of
course, it wouldn't be interoperable. However, I will use this if this
seems to be the preferred method.
Any help would be greatly appreciated.
begin:vcard
n:Fox;Daniel
tel;fax:978-263-1099
tel;work:978-795-5405
x-mozilla-html:FALSE
url:http://www.ennovatenetworks.com
org:Ennovate Networks
adr:;;60 Codman Hill Road;Boxborough;MA;01719;USA
version:2.1
email;internet:dfox@ennovatenetworks.com
title:Senior Software Engineer
fn:Daniel Fox
end:vcard
Follow-Ups: