[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Protocol specific and port specific SAs
How does exacly this IPSEC features work?
I've been testing some IPSEC/IKE software and I'm not sure if the results
are correct.
For example if I have this environment:
------
How do I specifiy a SHARED SA for protocols TCP & ICMP only for
example?
(I'm not sure if I'm doing it the wrong way or it's just a small bug in the
other code.)
The configuration I use is this:
My end host (E), Gateway (GW), Host behind GW (H)
H ------ GW ======= E SA (shared for tcp & icmp)
2 policies specifying:
Selector 1: H <-> E icmp
Selector 2: H <-> E tcp
(through the tunnel GW)
(Both using same IPSEC and IKE SAs!)
If GW acts as a INITIATOR, it sends the protocol number (i.e tcp(6))
with the Phase II IDs when it shouldn't (Or yes?). That makes E think it's
trying to negotiate a TCP specific SA and updates the SA database as so.
After that the packets are discarded because they don't match the SA spec
configured in E that says that the SA is shared (not protocol-specific as I
use it).
If GW acts as a RESPONDER, E sends phase II IDs WITHOUT setting the
protocol ID, but then GW complains that this doesn't match the
policy where tcp is set.
-----
So the thing here is: Should IKE send the protocol number specified
in the selector when the SA is shared? I thing no because then the othar
side doesn't know if we want to negotiate a protocol-specific SA (1 new SA
for each new protocol) or a shared SA (1 SA for all the protocols, TCP and
ICMP here)
If the protocol is always sent how do we know if we are negotiating
an SA that will be shared among different protocols.
Thanks a lot.
Toni
Follow-Ups: