[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Phase 2 ID's for different VPN's with different Address Space



  Dan,

  I think the key here is "Each VPN has its own address space which may
or may not overlap." In that case the answer is that there is no way
to handle this using IPSec (today). At least I don't see a way. If you
could rule out overlapping address space it would work the way I 
described; if you can't then I don't think there's an a way to do this
which would guarantee interoperability. There's no concept of a VPN
as a selector parameter.

  Dan.

On Mon, 01 Nov 1999 20:12:47 EST you wrote
> 
> Dan,
> 
> Thanks for the reply.
> 
> I think amending my architecture to include the subnets will clarify things.
> 
> VPN 1, site A                                     VPN 1, site B
> ---------+        +------+          +------+        +---------
> 10.1/16  |        |      |          |      |        |  10.2/16
>          +--------+      |          |      +--------+
>                   | GW A +----------+ GW B |
>          +--------+      |          |      +--------+
> 10.1/16  |        |      |          |      |        |  10.2/16
> ---------+        +------+          +------+        +---------
> VPN 2, site A                                     VPN 2, site B
> 
> Each VPN has its own address space which may or may not overlap.  In the abov
>e
> example, VPN 1 has two sites with 10.1/16 subnet and 10.2/16 subnet.  VPN 2 a
>lso
> has two sites, one with a 10.1/16 subnet, and the other a 10.2/16 subnet.  (T
>his
> is a requirement as we don't want to mandate which addresses each VPN chooses
> to
> use).
> 
> The first packet arrives from VPN1, site A (and I know this from the L2 inter
>face
> it uses), destined for VPN1, site B.
> 
> GWA initiates phase 1 with GWB.  They use DN ID's (because each has a certifi
>cate)
> for this phase.
> 
> Then GWA initiates phase 2 with GWB.  Let's say they use ID_IPV4_ADDR_SUBNET 
>for
> both IDci and IDcr.  Then IDci=10.1/16 and IDcr=10.2/16.  When GWB sees the p
>hase
> 2 ID's, GWB has no way of knowing whether the ID's correspond to the address 
>space
> of VPN1 or VPN2.  Therefore, when GWB receives an ESP packet from GWA with th
>e SPI
> negotiated, GWB has no idea whether to forward the packet to VPN 1, site B or
> VPN
> 2, site B.
> 
> I hope this make it clearer.  Dan, does this change your answer?  Or did I
> misunderstand your answer?
> 
> -Dan