[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Subnet and range IDs in Phase II (corrected)



	Correction in the example.

-----Original Message-----
From: EXT antonio.barrera@nokia.com [mailto:antonio.barrera@nokia.com]
Sent: 07. July 2000 16:28
To: ipsec@lists.tislabs.com
Subject: Subnet and range IDs in Phase II


	How are these updated in the SAD?
Is it allowed to specify a proxy as a subnet (addr + mask) when updating the
SAD? The person who implemented my IPSEC says no but I think it must be
possible to use SUBNET IDs.
And how do people do it for an ADDR RANGE?

Here's an example for the SUBNET case:

	H* - SG1	=========== SG2 (end host is the gateway itself)

The policies are:

	SG1: H* <-> SG2(through tunnel with SG2 itself)
	SG2: SG2 <-> H*(through tunnel with SG1)
	
	The Phase II IDs will be H* (IPV4 SUBNET ID) and SG2 (IPV4 ID)

	When updating the SAD in SG2 the parameter for the:	inbound SA
should be SRC = SG1 DST = SG2 PROXY = SG2
	
outbound SA should be SRC = SG2 DST = SG1 PROXY = H*
Is that right?

	Can someone provide a case when the RANGE IDs are used? I have no
idea how to do it. (Maybe it's because my IPSEC only allows the
specification of subnets and no ranges so it's limited to SUBNET IDs)

	Any help would be greatly appreciated.

Toni