[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Phase 2 ID's for different VPN's with different Address Space

To: "'Dan Harkins'" <dharkins@network-alchemy.com>, Daniel Fox <dfox@ennovatenetworks.com>
Subject: RE: Phase 2 ID's for different VPN's with different Address Space
From: Sankar Ramamoorthi <Sankar@vpnet.com>
Date: Mon, 1 Nov 1999 18:22:09 -0800
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

Would'nt VPNs with operlapping address space cause a problem
only when the address spaces intersect on both ends?
If they are just intersecting on one side then the address selectors
should be able uniquely determine which vpn the phase2 exchange
belongs to - right?

Also in the diagram shown below, would'nt using identifiers of
type IP_ADDRESS_RANGE solve the problem.

Thanks,

-- sankar --


-----Original Message-----
From: Dan Harkins [mailto:dharkins@network-alchemy.com]
Sent: Monday, November 01, 1999 5:28 PM
To: Daniel Fox
Cc: ipsec@lists.tislabs.com
Subject: Re: Phase 2 ID's for different VPN's with different Address
Space 


  Dan,

  I think the key here is "Each VPN has its own address space which may
or may not overlap." In that case the answer is that there is no way
to handle this using IPSec (today). At least I don't see a way. If you
could rule out overlapping address space it would work the way I 
described; if you can't then I don't think there's an a way to do this
which would guarantee interoperability. There's no concept of a VPN
as a selector parameter.

  Dan.

On Mon, 01 Nov 1999 20:12:47 EST you wrote
> 
> Dan,
> 
> Thanks for the reply.
> 
> I think amending my architecture to include the subnets will clarify
things.
> 
> VPN 1, site A                                     VPN 1, site B
> ---------+        +------+          +------+        +---------
> 10.1/16  |        |      |          |      |        |  10.2/16
>          +--------+      |          |      +--------+
>                   | GW A +----------+ GW B |
>          +--------+      |          |      +--------+
> 10.1/16  |        |      |          |      |        |  10.2/16
> ---------+        +------+          +------+        +---------
> VPN 2, site A                                     VPN 2, site B
> 
> Each VPN has its own address space which may or may not overlap.  In the
abov
>e
> example, VPN 1 has two sites with 10.1/16 subnet and 10.2/16 subnet.  VPN
2 a
>lso
> has two sites, one with a 10.1/16 subnet, and the other a 10.2/16 subnet.
(T
>his
> is a requirement as we don't want to mandate which addresses each VPN
chooses
> to
> use).
> 
> The first packet arrives from VPN1, site A (and I know this from the L2
inter
>face
> it uses), destined for VPN1, site B.
> 
> GWA initiates phase 1 with GWB.  They use DN ID's (because each has a
certifi
>cate)
> for this phase.
> 
> Then GWA initiates phase 2 with GWB.  Let's say they use
ID_IPV4_ADDR_SUBNET 
>for
> both IDci and IDcr.  Then IDci=10.1/16 and IDcr=10.2/16.  When GWB sees
the p
>hase
> 2 ID's, GWB has no way of knowing whether the ID's correspond to the
address 
>space
> of VPN1 or VPN2.  Therefore, when GWB receives an ESP packet from GWA with
th
>e SPI
> negotiated, GWB has no idea whether to forward the packet to VPN 1, site B
or
> VPN
> 2, site B.
> 
> I hope this make it clearer.  Dan, does this change your answer?  Or did I
> misunderstand your answer?
> 
> -Dan

Follow-Ups:

Re: Phase 2 ID's for different VPN's with different Address Space

From: Daniel Fox <dfox@ennovatenetworks.com>

Prev by Date: Re: Phase 2 ID's for different VPN's with different Address Space
Next by Date: Re: -ipsec-pki-req-03 - EKU's
Prev by thread: Re: Phase 2 ID's for different VPN's with different Address Space
Next by thread: Re: Phase 2 ID's for different VPN's with different Address Space
Index(es):
- Main
- Thread