Re: ipsec subnet negotiation
From: Walter Roberson (roberson_at_ibd.nrc-cnrc.gc.ca)
Date: 12 Jul 2003 17:24:35 GMT
In article <firstname.lastname@example.org>, <email@example.com> wrote as one continuous line, in violation of the RFCs that limit posting lines to 256 characters:
:Does anyone know if, in IPSEC negotiations (namely IKE), the encryption
:subnets on both ends must be the same? In case we have a scenario in
:which, e.g., a firewall is accepting ipsec lan2lan connections directed
:to LAN1 and LAN2 is added to provide additional services to other
:clients, can i include this LAN2 as part of the "encrytion domain"
:(checkpoint(tm) jargon) without affecting the already existing lan2lan
:connections to LAN1?
Yes and no.
For IPSec, each disjoint subnet has its own Security Association, so if
you were to add another disjoint subnet to an existing configuration,
then any existing Security Association would not be disturbed. On the
other hand, your firewall might not start to use the newly configured
Security Association until you tell it to clear the active SA's --
this would depend on the firewall (and possibly the software release.)
If, though, you were to extend an existing subnet (e.g., take it
from a /28 to a /27 in the configuration) and you did not do the
same thing on the other side before SAs are renegotiated, then you are
very likely to get Strange Behaviour, probably including having
traffic able to flow in one direction but not the other. You probably
will not get any warning if the subnets do not match between the
two ends: it just won't work -- oh, and the *way* it doesn't work
will depend on which side happened to initiate the connection.
-- I've been working on a kernel All the livelong night. I've been working on a kernel And it still won't work quite right. -- J. Benson & J. Doll