[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Phase 2 ID's for different VPN's with different Address Space



Scott,

    I thought of that, but I wanted to avoid having a different certificate
for each VPN on each gateway.  I also wanted to avoid having to do a separate
phase one for each VPN.  The number of VPN's I will need to support is large.
But perhaps that's what I ought to do. Either that or go ahead and try to get
new ID types defined.

    Thanks for your input.

-Dan

"Scott G. Kelly" wrote:

> Hi Daniel,
>
> One way to accomplish what you ask is by using DNs as identifiers, each
> with their own certs, one for each vpn group.
>
> Daniel Fox wrote:
> >
> > I have an interesting problem, and I am hoping that someone on the list
> > can help with the solution.
> >
> > I am implementing a sgw that has many physical interfaces (T1, T3, etc.)
> > to different private networks.  Each private network has its own address
> > space.  A very simple architecture looks like this:
> >
> > VPN 1, site A                                     VPN 1, site B
> > -------+        +------+          +------+        +-------
> >        |        |      |          |      |        |
> >        +--------+      |          |      +--------+
> >                 | GW A +----------+ GW B |
> >        +--------+      |          |      +--------+
> >        |        |      |          |      |        |
> > -------+        +------+          +------+        +-------
> > VPN 2, site A                                     VPN 2, site B
> >
> > My thinking is, I do a phase 1 IKE between GW A and GW B.
> >
> > To set up the ESP tunnel for VPN 1, I do a phase 2 IKE between GW A and
> > GW B, using PFS.  I do another similar phase 2 exchange for VPN 2 to set
> > up the ESP tunnel for this VPN.
> >
> > Question:  how do I identify that my clients are a particular VPN?
> >
> > I can't use ID_IPV4_ADDR_SUBNET, since each VPN has its own address
> > space.
> >
> > I could use ID_FQDN, but then I couldn't specify the IP addresses  (plus
> > it's ugly).  What I'd really like is to specify a 32-bit VPN identifier,
> > along with the IP subnet and transport port.  Can I do this without
> > defining new ID types?
> >
> > I could use ID_KEYID, but it really doesn't identify a key, and, of
> > course, it wouldn't be interoperable.  However, I will use this if this
> > seems to be the preferred method.
> >
> > Any help would be greatly appreciated.
begin:vcard 
n:Fox;Daniel
tel;fax:978-263-1099
tel;work:978-795-5405
x-mozilla-html:FALSE
url:http://www.ennovatenetworks.com
org:Ennovate Networks
adr:;;60 Codman Hill Road;Boxborough;MA;01719;USA
version:2.1
email;internet:dfox@ennovatenetworks.com
title:Senior Software Engineer
fn:Daniel Fox
end:vcard