Re: ipsec subnet negotiation

From: Walter Roberson (roberson_at_ibd.nrc-cnrc.gc.ca)
Date: 07/12/03

Next message: Snuffy2: "USB Flash Drive as a USB Token"

Previous message: alex.abreu_at_iol.pt: "ipsec subnet negotiation"
In reply to: alex.abreu_at_iol.pt: "ipsec subnet negotiation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 12 Jul 2003 17:24:35 GMT

In article <1057975260.265181@news.iol.pt>, <alex.abreu@iol.pt> wrote as one continuous line, in violation of the RFCs that limit posting lines to 256 characters:

:Does anyone know if, in IPSEC negotiations (namely IKE), the encryption
:subnets on both ends must be the same? In case we have a scenario in
:which, e.g., a firewall is accepting ipsec lan2lan connections directed
:to LAN1 and LAN2 is added to provide additional services to other
:clients, can i include this LAN2 as part of the "encrytion domain"
:(checkpoint(tm) jargon) without affecting the already existing lan2lan
:connections to LAN1?

Yes and no.

For IPSec, each disjoint subnet has its own Security Association, so if
you were to add another disjoint subnet to an existing configuration,
then any existing Security Association would not be disturbed. On the
other hand, your firewall might not start to use the newly configured
Security Association until you tell it to clear the active SA's --
this would depend on the firewall (and possibly the software release.)

If, though, you were to extend an existing subnet (e.g., take it
from a /28 to a /27 in the configuration) and you did not do the
same thing on the other side before SAs are renegotiated, then you are
very likely to get Strange Behaviour, probably including having
traffic able to flow in one direction but not the other. You probably
will not get any warning if the subnets do not match between the
two ends: it just won't work -- oh, and the *way* it doesn't work
will depend on which side happened to initiate the connection.

-- 
   I've been working on a kernel
   All the livelong night.
   I've been working on a kernel
   And it still won't work quite right.      -- J. Benson & J. Doll

Next message: Snuffy2: "USB Flash Drive as a USB Token"

Previous message: alex.abreu_at_iol.pt: "ipsec subnet negotiation"
In reply to: alex.abreu_at_iol.pt: "ipsec subnet negotiation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Problem with IPSEC
... various policies on in IPSEC and activate them in task scheduler. ... Consequently it cannot filter the external traffic. ... rules like this work on an internal subnet. ... addresses or even a subnet on the internet it doesn't work. ...
(microsoft.public.windows.server.security)
Re: Problem with IPSEC
... rules like this work on an internal subnet. ... addresses or even a subnet on the internet it doesn't work. ... Turn off IPSEC. ... yes ipsec filters are weighted such that a specific rule ...
(microsoft.public.windows.server.security)
Re: Problem with IPSEC
... the ipsec newsgroup as often a member of the MS ipsec team will reply to ... rules like this work on an internal subnet. ... addresses or even a subnet on the internet it doesn't work. ... yes ipsec filters are weighted such that a specific ...
(microsoft.public.windows.server.security)
Re: Problem with IPSEC
... I am just using a Local Security Policy on the RRAS server. ... IPSEC, and so IPSEC doesn't see the IP addresses of internal computers ... rules like this work on an internal subnet. ... addresses or even a subnet on the internet it doesn't work. ...
(microsoft.public.windows.server.security)
Re: Problem with IPSEC
... I have not used that many filter lists for subnets in an ipsec rule to see ... rules like this work on an internal subnet. ... addresses or even a subnet on the internet it doesn't work. ...
(microsoft.public.windows.server.security)