[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Q: SPD & IKE phase2 IDs
Q: SPD & IKE phase2 IDs
I have some questions about SPD & IKE phase2 IDs.
Which implementation is better No.1 or No.2 in the example below?
In other words, which is 'MUST'?
------------------------------
Example
(1)Policy (established by system administrator)
IPSEC tunnel
ESP(DES,SHA-1)(all traffic)
Network1-------VPNGW1============VPNGW2---------Network2
192.168.20.0/24 192.168.21.0/24
|
V
(2)Security Policy Database (SPD) in VPN GW1
src addr = 192.168.20.0/24
dst addr = 192.168.21.0/24
action = IPSEC ESP(DES,SHA-1) in tunnel mode
|
V
(3)IKE Phase 2(Quick Mode) ID payload generated by VPN GW1(initiator)
Network1-------VPNGW1============VPNGW2---------Network2
PC1(192.168.20.5)---> PC2(192.168.21.8)
[No.1] :
Phase 2(Quick Mode) ID payload
IDci = 192.168.20.5
IDcr = 192.168.21.8
ID Type = ID_IPV4_ADDR
or
[No.2] :
Phase 2(Quick Mode) ID payload
IDci = 192.168.20.0/24
IDcr = 192.168.21.0/24
ID Type = ID_IPV4_ADDR_SUBNET
------------------------------
I appreciate your help.
Regards,
Ichiro MIYAJIMA
Follow-Ups: