[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Issue #68: VPNs with overlapping IP address ranges (was Re: 2401bis issues (possible) resolution)
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Tero" == Tero Kivinen <kivinen@xxxxxx> writes:
>> When a security Gateway is operating on behalf of multiple contexts
>> (e.g. multiple subscribers, or multiple ppvpn-style overlay addressing
>> contexts), it is essential that the initiator be able to convey to the
>> responder which context is being addressed.
Tero> Do not use IP addresses as a IKE SA identities then. Use the dns
Tero> names or email addresses or something else. There is no need to use
Tero> ip addresses in those cases (or actually using ip addresses would
Tero> be quite bad, as it is not unique...).
Particularly for IKEv2, the #1 reason to use IP addresses as IDs in IKEv1
was because of limitations of PSK.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xxxxxxxxxxxxx http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----