[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipsec SAs
At 12:07 -0400 7/18/03, George Hadjichristofi wrote:
>Hi,
>
>I have a question about IPSec SAs.
>
>There is a nework such as:
>A----Gateway1 ===tunnel====Gateway2 ----B
>
>A and B are the subnets.
>Gateway 1 and 2 negotiate a tunnel such that A can communicate securely with
>B.
>
>Based on RFC2401, does that mean that A will only be able to talk to B and
>no other nodes on the network, or just that it will talk to B via a secure
>tunnel and to everybody else in cleartext?
>
>Should A be able to talk to Gateway2?
>
>Thank you
>George
>
The scenario in your diagram is common. The administrators for the
security gateways decide whether the tunnel that is created between
them will carry all traffic between any two hosts on the subnets
behind them, or just traffic between A & B, or even whether a
separate tunnel is created for each different connection between A &
B, etc. Depending on how these administrators choose to define the
SPD entries for communication between these two subnets, there are
lots of possibilities.
You ask whether A should be able to talk to Gateway 2. Again, this
will be a function of the SPD entries.
Steve
- References:
- ipsec SAs
- From: "George Hadjichristofi" <ghadjich@vt.edu>