[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

security gateways with different policies

To: ipsec@lists.tislabs.com
Subject: security gateways with different policies
From: Arne Ansper <arne@ats.cyber.ee>
Date: Wed, 15 Dec 1999 13:42:58 +0200 (EET)
Sender: owner-ipsec@lists.tislabs.com


hi!

i'm trying to understand how negotiation of SA granularity is supposed to
work. 

suppose we have two security gateways with different policies in their
SPDs. first gateway has single rule which says that it must apply IPSec
processing to all packets and that SA selector is copied from SPD. second
gateway has single rule which says that it must apply IPSec processing and
that SA selector is copied from packet. first gateway wants to use single
SA for all traffic and second one wants to use different SA for every TCP
connection/UDP packet.

gateways use IKE for SA setup. how does the Quick Exchange look like when
the first gateway is initiator and when second gateway is initiator? what
are the IDui and IDur? can the responder change IDs sent by initiator or
not? when the second gateway is initiator and sends IDui, IDur which
specify single TCP connection, can the first gateway accept it even if
it's SPD wants to use single SA for all traffic?

arne

Prev by Date: Re: A problem with public key encrption in IKE
Next by Date: I-D ACTION:draft-ietf-ipsec-pki-req-04.txt
Prev by thread: Re: fqdn and trailing dot in IDs
Next by thread: I-D ACTION:draft-ietf-ipsec-pki-req-04.txt
Index(es):
- Main
- Thread