[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Initial Contact Message processing
Hi,
We found one problem during inter operability testing and I thought
I will inform to the list for feedback.
It seems that some implementations, while processing IC message,
delete all IPSEC and IKE SAs that correspond to source IP address of
the IC message.
This works well, in most of the scenarios, but fails to work when there
are more than one Security Gateway or Clients behind a NAT gateway.
For instance, take this example:
Security Client 1
----------NAT
Gateway-------Internet--------SG-----LAN
Security Client 2
At one time, both clients have tunnels established with SG (acting as
remote
access server and only Clients initiate phase1 exchange)
and SG will see both the tunnels from NAT Gateway IP address.
If Client 1 gets restarted, it sends IC message to the SG.
SG, upon receipt, deletes tunnels established by Client 1 and also
it deletes the tunnels, that are created by Client 2.
DOI (RFC2407) states that, upon receipt of IC message, the implementations
might delete tunnels associated with the sending system.
It is observed that, identification of 'sending system' is being done
based on source IP
address of the IC message in some implementations. I feel that, it
should be based
on 'Phase1 ID' (FQDN, USER FQDN, USER DN etc..) and/or with source IP
address.
Some clarification on IC message processing in DOI document, might be
helpful.
Thanks
Vamsi