[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
Hi Derek,
[recipient list trimmed...]
Derek Atkins wrote:
>
> "Scott G. Kelly" <scott@airespace.com> writes:
>
> > In such cases, no SPD entries are consulted following the routing
> > lookup, and the routing table (effectively) becomes the SAD/SPD. I think
> > this has obvious issues in terms of satisfying the selector criteria you
> > outlined in RFC2401, for the reasons I enumerated above.
>
> This works fine for output processing, but not necessarily for input
> processing.
I guess I don't understand what you mean. I don't think it works
according to what is specified in RFC2401, as (1) you cannot control the
SPD ordering due to the fact that route selection is best match (unless
your SPD happens to be ordered from most specific to least specific),
and (2) you cannot select traffic based on protocols/ports. So, it
doesn't really work right (where "right" means "in accordance with
RFC2401") for either egress or ingress, does it?
Scott