[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
whether IKE v1 (RFC2409) supports negotiation of unidirectional policy selectors
Hi,
I have a querry regarding the 'meaning of
unidirectional policy/SA' and IKE capability to
negotiate such policies .
suppose the setup is like this :-
Net1======SG1 ------------ SG2 ========Net2
IKE deamon is running at SG1 and SG2.
Does the Property of an SA being
Uni-Directional allows the existence of the following
scenarios
(A) Inbound and outbound ipsec policies where SA
protocols and algorithm attributes are different in
each direction
Policy Database:
Peer 1 Peer2
Inbound ESP Tunnel(3DES) AH Tunnel(HMAC-MD5)
Outbound AH Tunnel(HMAC-MD5) ESP Tunnel(3DES)
Thus no matter who initiates a connection, whenever
Peer1 sends data to Peer2, AH Tunnel mode will be used
and when Peer 2 sends data to Peer 1, ESP Tunnel mode
will be used.
Also if IKE is used for SA exchange, 4 SAs will be
created at each Peer, two for AH Tunnel mode and two
for ESP Tunnel Mode.
Please correct me if I am wrong.
(B) Inbound and outbound policies are different where
only in outbound direction ipsec is applied and
inbound direction the packets are allowed in plain
text ?
Can IKE negtiate such unidirectional policies so
that only outbound SA as are setup at SG1?
Is there any linkage between IKE role (INITIATOR
/Responder) and policy direction ?
regards
sanjay
__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - File online, calculators, forms, and more
http://tax.yahoo.com