[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: matching GW addr to ID payload (fwd)
On Fri, 3 Dec 1999, Slava Kavsan wrote:
> Well... in this case neither my scheme nor Jan's scheme are going to work with
> NAT.
Says who? My scheme works through NAT, at least static NAT: Ignore the ID
payload, and store your keys based on the NAT'd address.
Works just fine.
For dynamic NAT as well as dynamic IP addresses, you'll need (shudder) group
keys (or better yet: Certs).
jan
> Unless users are willing to switch to alternatives like Aggressive Mode or
> Certificate-based authentication, NAT users will be out of luck :((
> .
>
> "CHINNA N.R. PELLACURU" wrote:
>
> > On Fri, 3 Dec 1999, Slava Kavsan wrote:
> >
> > > "CHINNA N.R. PELLACURU" wrote:
> > >
> > > > Is this acceptable, or should we enforce that ID and the IP address used
> > > > should be equal?
> > >
> > > I would say yes in the case when ID Payload contains IP Address type.
> > > But we should also allow to have ID Payload to contain FQDN type (and other
> > > non-IP IDs) and is use it to select the Policy entry.
> > >
> > >
> > >
> >
> > If you do not check that the ID used to search the pre-shared key is the
> > same as the ID payload content, then you should not use the ID payload
> > content to select policy. IE, in MM using pre-shared keys, only the source
> > IP address on the negotiation can be used to select policy.
> >
> > If I know the pre-shared key associated with IP1, then the gateway should
> > select the policy associated with IP1, and should not select the policy
> > based on what I sent in the ID payload (if this is different from IP1).
> >
> > -chinna
> >
> > chinna narasimha reddy pellacuru
> > s/w engineer
>
> --
> Bronislav Kavsan
> IRE Secure Solutions, Inc.
> 100 Conifer Hill Drive Suite 513
> Danvers, MA 01923
> voice: 978-539-4816
> http://www.ire.com
>
>
>
>
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
References: