[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Phase 2 ID's for different VPN's with different Address Space
Thanks, Ari. I like this solution.
So I would obtain an assigned Labeled Domain Identifer from IANA and use SIT_SECRECY
with a defined secrecy category as the ID of the VPN.
Comments from others on the list on this solution?
-Dan
Ari Huttunen wrote:
> How about using either SIT_SECRECY or SIT_INTEGRITY
> together with the secrecy/integrity category being either VPN1
> or VPN2?
>
> Ari
>
> Dan Harkins wrote:
>
> > Dan,
> >
> > I think the key here is "Each VPN has its own address space which may
> > or may not overlap." In that case the answer is that there is no way
> > to handle this using IPSec (today). At least I don't see a way. If you
> > could rule out overlapping address space it would work the way I
> > described; if you can't then I don't think there's an a way to do this
> > which would guarantee interoperability. There's no concept of a VPN
> > as a selector parameter.
> >
> > Dan.
> >
> > On Mon, 01 Nov 1999 20:12:47 EST you wrote
> > >
> > > Dan,
> > >
> > > Thanks for the reply.
> > >
> > > I think amending my architecture to include the subnets will clarify things.
> > >
> > > VPN 1, site A VPN 1, site B
> > > ---------+ +------+ +------+ +---------
> > > 10.1/16 | | | | | | 10.2/16
> > > +--------+ | | +--------+
> > > | GW A +----------+ GW B |
> > > +--------+ | | +--------+
> > > 10.1/16 | | | | | | 10.2/16
> > > ---------+ +------+ +------+ +---------
> > > VPN 2, site A VPN 2, site B
> > >
> > > Each VPN has its own address space which may or may not overlap. In the abov
> > >e
> > > example, VPN 1 has two sites with 10.1/16 subnet and 10.2/16 subnet. VPN 2 a
> > >lso
> > > has two sites, one with a 10.1/16 subnet, and the other a 10.2/16 subnet. (T
> > >his
> > > is a requirement as we don't want to mandate which addresses each VPN chooses
> > > to
> > > use).
> > >
> > > The first packet arrives from VPN1, site A (and I know this from the L2 inter
> > >face
> > > it uses), destined for VPN1, site B.
> > >
> > > GWA initiates phase 1 with GWB. They use DN ID's (because each has a certifi
> > >cate)
> > > for this phase.
> > >
> > > Then GWA initiates phase 2 with GWB. Let's say they use ID_IPV4_ADDR_SUBNET
> > >for
> > > both IDci and IDcr. Then IDci=10.1/16 and IDcr=10.2/16. When GWB sees the p
> > >hase
> > > 2 ID's, GWB has no way of knowing whether the ID's correspond to the address
> > >space
> > > of VPN1 or VPN2. Therefore, when GWB receives an ESP packet from GWA with th
> > >e SPI
> > > negotiated, GWB has no idea whether to forward the packet to VPN 1, site B or
> > > VPN
> > > 2, site B.
> > >
> > > I hope this make it clearer. Dan, does this change your answer? Or did I
> > > misunderstand your answer?
> > >
> > > -Dan
>
> --
> Ari Huttunen phone: +358 9 859 900
> Senior Software Engineer fax : +358 9 8599 0452
>
> Data Fellows Corporation http://www.DataFellows.com
>
> F-Secure products: Integrated Solutions for Enterprise Security
begin:vcard
n:Fox;Daniel
tel;fax:978-263-1099
tel;work:978-795-5405
x-mozilla-html:FALSE
url:http://www.ennovatenetworks.com
org:Ennovate Networks
adr:;;60 Codman Hill Road;Boxborough;MA;01719;USA
version:2.1
email;internet:dfox@ennovatenetworks.com
title:Senior Software Engineer
fn:Daniel Fox
end:vcard
References: