[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Inbound packet processing- mobile host problem
At 20:05 31.3.2000 +0530, you wrote:
>Hi all
>I have the following doubts regarding the IPSEC
>
>(1) According to the RFC, for the inbound packets, the SA (tunnel mode) is
retrieved based on the
>
> --The Destination IP address of the Outer IP header
> --SPI
> --IPsec protocol
>
> (a)Does this mean that the security gateway can allot the same SPI
value for the different IP addresses (supposing It has
> more than one IP addresses)?
>
Yes it can. I wouldn't implement it that way, though. It's easier that
check whether the destination addr belongs to the GW at all and then
do a (prot/SPI) lookup on incoming packets.
>(2) In the case of a mobile host contacting the home security gateway
after dialing to a local PPP
>server on the Internet and then crossing the Internet to the home
organization's firewall , then is there any automated way
>for the discovery/verification of the security gateway/mobile host??
>
I'm afraid that you have to rephrase that. A drawing (ASCII) would be nice
as well.
If you're asking how a FW and a SGW (two computers) can communicate
(how does the FW know that packets were handled by the SGW),
the usual way is to map the mobile users into a private network
using NAT.
>
>Venkatesh
>
J–rn Sierwald
References: