[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Phase 2 ID's for different VPN's with different Address Space

To: Dan Harkins <dharkins@xxxxxxxxxxxxxxxxxxx>
Subject: Re: Phase 2 ID's for different VPN's with different Address Space
From: Ari Huttunen <Ari.Huttunen@xxxxxxxxxxxxxxx>
Date: Tue, 02 Nov 1999 11:42:14 +0200
Cc: Daniel Fox <dfox@xxxxxxxxxxxxxxxxxxxx>, ipsec@xxxxxxxxxxxxxxxxx
Organization: Data Fellows Oyj
References: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

How about using either SIT_SECRECY or SIT_INTEGRITY
together with the secrecy/integrity category being either VPN1
or VPN2?

Ari

Dan Harkins wrote:

>   Dan,
>
>   I think the key here is "Each VPN has its own address space which may
> or may not overlap." In that case the answer is that there is no way
> to handle this using IPSec (today). At least I don't see a way. If you
> could rule out overlapping address space it would work the way I
> described; if you can't then I don't think there's an a way to do this
> which would guarantee interoperability. There's no concept of a VPN
> as a selector parameter.
>
>   Dan.
>
> On Mon, 01 Nov 1999 20:12:47 EST you wrote
> >
> > Dan,
> >
> > Thanks for the reply.
> >
> > I think amending my architecture to include the subnets will clarify things.
> >
> > VPN 1, site A                                     VPN 1, site B
> > ---------+        +------+          +------+        +---------
> > 10.1/16  |        |      |          |      |        |  10.2/16
> >          +--------+      |          |      +--------+
> >                   | GW A +----------+ GW B |
> >          +--------+      |          |      +--------+
> > 10.1/16  |        |      |          |      |        |  10.2/16
> > ---------+        +------+          +------+        +---------
> > VPN 2, site A                                     VPN 2, site B
> >
> > Each VPN has its own address space which may or may not overlap.  In the abov
> >e
> > example, VPN 1 has two sites with 10.1/16 subnet and 10.2/16 subnet.  VPN 2 a
> >lso
> > has two sites, one with a 10.1/16 subnet, and the other a 10.2/16 subnet.  (T
> >his
> > is a requirement as we don't want to mandate which addresses each VPN chooses
> > to
> > use).
> >
> > The first packet arrives from VPN1, site A (and I know this from the L2 inter
> >face
> > it uses), destined for VPN1, site B.
> >
> > GWA initiates phase 1 with GWB.  They use DN ID's (because each has a certifi
> >cate)
> > for this phase.
> >
> > Then GWA initiates phase 2 with GWB.  Let's say they use ID_IPV4_ADDR_SUBNET
> >for
> > both IDci and IDcr.  Then IDci=10.1/16 and IDcr=10.2/16.  When GWB sees the p
> >hase
> > 2 ID's, GWB has no way of knowing whether the ID's correspond to the address
> >space
> > of VPN1 or VPN2.  Therefore, when GWB receives an ESP packet from GWA with th
> >e SPI
> > negotiated, GWB has no idea whether to forward the packet to VPN 1, site B or
> > VPN
> > 2, site B.
> >
> > I hope this make it clearer.  Dan, does this change your answer?  Or did I
> > misunderstand your answer?
> >
> > -Dan

--
Ari Huttunen                   phone: +358 9 859 900
Senior Software Engineer       fax  : +358 9 8599 0452

Data Fellows Corporation       http://www.DataFellows.com

F-Secure products: Integrated Solutions for Enterprise Security

Follow-Ups:
- Re: Phase 2 ID's for different VPN's with different Address Space
  - From: Daniel Fox

References:
- Re: Phase 2 ID's for different VPN's with different Address Space
  - From: Dan Harkins

Prev by Date: Re: -ipsec-pki-req-03 - EKU's
Next by Date: FW: AppleTalk VPN Client
Previous by thread: Re: Phase 2 ID's for different VPN's with different Address Space
Next by thread: Re: Phase 2 ID's for different VPN's with different Address Space
Index(es):
- Date
- Thread