Re: IKE negotiation/rekeying problem with RSIP

["Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>]

>>>>> "Saint-Hilaire," == Saint-Hilaire, Ylian <ylian.saint-hilaire@intel.com> writes:
    Saint-Hilaire,> There is a possible problem IKE initiation/rekeying over
    Saint-Hilaire,> RSIP. If two inner computers use an RSIP gateway to
    Saint-Hilaire,> establish IPsec sessions to one destination, the
    Saint-Hilaire,> destination computers will see 2 IKE phase1's from the

  1) this in itself may be a problem for some gateways.

    Saint-Hilaire,> gateway. If the destination computer ever needs to rekey
    Saint-Hilaire,> a phase 2 or negotiate a new phase 2, he may select an
    Saint-Hilaire,> incorrect phase 1 to negotiate with.

  2) worse, they can't both get UDP port 500. There are choices to resolve
this:
	a) permit initiators to use other than port 500, and have the
	remote gateway respond to the correct port.

	b) have the gateway demux based upon cookies instead of port numbers.
	This makes the gateway aware of IKE, but it needs to know proto 50/51
	anyway.

   :!mcr!:            |  Cow#1: Are you worried about getting Mad Cow Disease?
   Michael Richardson |  Cow#2: No. I'm a duck.
 Home: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.

---

References:

• IKE negotiation/rekeying problem with RSIP
• From: "Saint-Hilaire, Ylian" <ylian.saint-hilaire@intel.com>

---

• Prev by Date: IKE negotiation/rekeying problem with RSIP
• Next by Date: RE: Some queries regarding IP security
• Prev by thread: IKE negotiation/rekeying problem with RSIP
• Next by thread: Re: IKE negotiation/rekeying problem with RSIP
• Index(es):
  • Main
  • Thread