[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Initial Contact Message processing

To: David Wierbowski <wierbows@us.ibm.com>
Subject: Re: Initial Contact Message processing
From: Tero Kivinen <kivinen@iki.fi>
Date: Thu, 15 Jan 2004 05:21:16 +0200
Cc: ipsec@lists.tislabs.com
In-reply-to: <OF3AB51022.73474592-ON85256E1B.005C28CE-85256E1B.005DF0BE@us.ibm.com>
Organization: Helsinki University of Technology
References: <OF3AB51022.73474592-ON85256E1B.005C28CE-85256E1B.005DF0BE@us.ibm.com>
Sender: owner-ipsec@lists.tislabs.com

David Wierbowski writes:
> Are you saying that an identity may use IPSec from one device only?

USer can use IPsec from multiple devices, but if you want to have
working solution going through NATs each identity should only be tied
to one device. This normally is the case, your private key is only
stored in exactly one machine, and it is tied to one certificate
having one identity. If you have another device you use to connect to
the same VPN you should have separate private key and identity for
that (for example FQDN).

In some cases you might want to use only one identity and you want to
clear out old identities, for example in cases where you use securID
card or similar and you have forgotten to log out from the office
workstation, and you then log in with same card from your home.

All of this depends on the configuration and policy defined in the VPN
gateway. 

> It seems to me that I may want to establish a phase 1 SA with you from
> two different work stations at the same time.

There is nothing preventing you to configure your systems to allow
that. 

> Are you saying that I would need 2 phase 1 IDs to do that?

Yes, if you want to use NAT traversal or IKEv2 and you want to send
INITIAL_CONTACT notifications. 

> Is it a generally accepted limitation of IPSec that identities are
> tied to a particular device?

Normally identities are tied either to the device or to the user.
Everything again depends on the policy. 

> This would have to be true in order to process an INITIAL-CONTACT
> notification based on IDs only.

In NAT-T draft and also in the IKEv2 the INITIAL-CONTACT is only
processed based on the authenticated identities only:

from the draft-ietf-ipsec-ikev2-12.txt:
----------------------------------------------------------------------
        INITIAL_CONTACT                          16384

            This notification asserts that this IKE_SA is the only
            IKE_SA currently active between the authenticated
            identities. It MAY be sent when an IKE_SA is established
            after a crash, and the recipient MAY use this information to
            delete any other IKE_SAs it has to the same authenticated
            identity without waiting for a timeout.  This notification
            MUST NOT be sent by an entity that may be replicated (e.g.,
            a roaming user's credentials where the user is allowed to
            connect to the corporate firewall from two remote systems at
            the same time).
-- 
kivinen@iki.fi

Follow-Ups:
- Re: Initial Contact Message processing
  - From: Thor Lancelot Simon <tls@rek.tjls.com>

References:
- Re: Initial Contact Message processing
  - From: David Wierbowski <wierbows@us.ibm.com>

Prev by Date: Re: Initial Contact Message processing
Next by Date: Re: Initial Contact Message processing
Previous by thread: Re: Initial Contact Message processing
Next by thread: Re: Initial Contact Message processing
Index(es):
- Date
- Thread