[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Phase 2 ID's for different VPN's with different Address Space

I have an interesting problem, and I am hoping that someone on the list
can help with the solution.

I am implementing a sgw that has many physical interfaces (T1, T3, etc.)
to different private networks.  Each private network has its own address
space.  A very simple architecture looks like this:

VPN 1, site A                                     VPN 1, site B
-------+        +------+          +------+        +-------
       |        |      |          |      |        |
       +--------+      |          |      +--------+
                | GW A +----------+ GW B |
       +--------+      |          |      +--------+
       |        |      |          |      |        |
-------+        +------+          +------+        +-------
VPN 2, site A                                     VPN 2, site B

My thinking is, I do a phase 1 IKE between GW A and GW B.

To set up the ESP tunnel for VPN 1, I do a phase 2 IKE between GW A and
GW B, using PFS.  I do another similar phase 2 exchange for VPN 2 to set
up the ESP tunnel for this VPN.

Question:  how do I identify that my clients are a particular VPN?

I can't use ID_IPV4_ADDR_SUBNET, since each VPN has its own address

I could use ID_FQDN, but then I couldn't specify the IP addresses  (plus
it's ugly).  What I'd really like is to specify a 32-bit VPN identifier,
along with the IP subnet and transport port.  Can I do this without
defining new ID types?

I could use ID_KEYID, but it really doesn't identify a key, and, of
course, it wouldn't be interoperable.  However, I will use this if this
seems to be the preferred method.

Any help would be greatly appreciated.

org:Ennovate Networks
adr:;;60 Codman Hill Road;Boxborough;MA;01719;USA
title:Senior Software Engineer
fn:Daniel Fox