[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

isakmpd - multiple IPSec SAs for single ISAKMP SA

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: isakmpd - multiple IPSec SAs for single ISAKMP SA
From: Brian Buesker <bbuesker_(_at_)_qualcomm_(_dot_)_com>
Date: Thu, 21 Aug 2003 15:24:17 -0700

I have been experimenting with isakmpd on Linux 2.6. I would like to do the following: For two nodes that have more than one IP address, establish a single ISAKMP security association which can then be used to protect the negotiation of multiple IPsec security associations. For example, if the first host has IP addresses A and B, and the second has A' and B', I would like to establish a single ISAKMP SA, say between A and B, and then use that to negotiate an IPsec SA between A and A', and another one between B and B'. In trying to do this, I have found that separate IPsec SPI's are not being allocated by the initiator nor the responder because the IP addresses used in the ISAKMP SA negotiation are what are being passed to the kernel when an SPI is requested.

Should the above setup be possible to do, or must the IP addresses used for the ISAKMP negotiation also match the IP addresses specified in the <IPsec-connection> section? Thanks.

Brian

Prev by Date: Re: Certification
Next by Date: Attachment Sent to Technical Support
Previous by thread: Re: snif
Next by thread: Attachment Sent to Technical Support
Index(es):
- Date
- Thread

Visit your host, monkey.org