whether IKE v1 (RFC2409) supports negotiation of unidirectional policy selectors

["S. Shankar" <msanshankar@yahoo.com>]

Hi,

I have a querry regarding the 'meaning of
unidirectional policy/SA' and IKE capability to
negotiate such policies .

 suppose the setup is like this :-
  
   Net1======SG1 ------------ SG2 ========Net2
 
 IKE deamon is running at SG1 and SG2.

Does the Property of an SA being
Uni-Directional allows the existence of the following
scenarios 
(A) Inbound and outbound ipsec policies where SA
protocols and algorithm attributes are different in
each direction

Policy Database:
             Peer 1                Peer2
Inbound    ESP Tunnel(3DES)    AH Tunnel(HMAC-MD5)    

Outbound   AH Tunnel(HMAC-MD5) ESP Tunnel(3DES)

Thus no matter who initiates a connection, whenever
Peer1 sends data to Peer2, AH Tunnel mode will be used
and when Peer 2 sends data to Peer 1, ESP Tunnel mode
will be used.
Also if IKE is used for SA exchange, 4 SAs will be
created at each Peer, two for AH Tunnel mode and two
for ESP Tunnel Mode.
Please correct me if I am wrong.


(B) Inbound and outbound policies are different where
only in outbound direction ipsec is applied and
inbound direction the packets are allowed in plain
text ?
  Can IKE negtiate such unidirectional policies so
that only outbound SA as are setup at SG1? 
 Is there any linkage between IKE role (INITIATOR
/Responder) and policy direction ?

 
regards
 sanjay

__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - File online, calculators, forms, and more
http://tax.yahoo.com