[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Inbound packet processing- mobile host problem



At 20:05 31.3.2000 +0530, you wrote:
>Hi all
>I have the following doubts regarding the IPSEC
>
>(1)	According to the RFC, for the inbound packets, the SA (tunnel mode) is
retrieved based on the 
>
>            --The Destination IP address of the Outer IP header
>            --SPI
>            --IPsec protocol
>
>    (a)Does this mean that the security gateway can allot the same SPI
value for the different IP addresses (supposing It has
>    more than one IP addresses)?
>
Yes it can. I wouldn't implement it that way, though. It's easier that
check whether the destination addr belongs to the GW at all and then
do a (prot/SPI) lookup on incoming packets. 

>(2) In the case of a mobile host contacting the home security gateway
after dialing to a local PPP
>server  on the Internet and then crossing the Internet to the home
organization's firewall , then is there any automated way
>for the discovery/verification of the security gateway/mobile host??
>
I'm afraid that you have to rephrase that. A drawing (ASCII) would be nice
as well.
If you're asking how a FW and a SGW (two computers) can communicate
(how does the FW know that packets were handled by the SGW),
the usual way is to map the mobile users into a private network
using NAT.

>
>Venkatesh
>

J–rn Sierwald


References: