RE: SA look up

["Li, Ruicong" <rli@starentnetworks.com>]

Another SA pair must be negotiated if A wants to directly send the IPSec
packet to C. But if a Security Gateway is used, all the IPSec packets
should be sent to SG, so only one SA pair (A<->SG) is needed to protect
all the traffic (A<->B and A<->C).
 
Ruicong Li

[Li, Ruicong]  -----Original Message-----
From: Jin Zhang [mailto:jzhang@elmic.com]
Sent: Tuesday, December 04, 2001 7:05 PM
To: 'IPsec WG'
Subject: SA look up



Hi, there, 
 
I know I must be wrong somewhere, please kindly correct me:
 
       C 192.168.1.2
       /
      /
     /
    /
   A -----------B  192.168.1.3
192.168.1.1
 
At site A, there exists policy:
>From source (192.168.1.1) to destination (ip minmum 192.168.1.2 to - ip
maximum 192.168.1.10), any src port, any dst port, any prorocol, use
AH-transport mode, and md5-hmac to protect traffic. All the SA selector
uses the value associated with the policy entry.
 
Now if A wants to send message to B, SAs will be negotiated between A
and B, so there will be an outbound SA at site A. Since the selector
value will use the policy entry, the same SA will be used for traffic A
-> C.
 
Now the problem comes, when C receives a packet from A, it looks its own
inbound SA table by looking <dst IP= C, spi, AH-protocol> ), the SA is
NOT there ! The packet will be dropped. And it seems no way to overcome
this, because whenever A wants to send message to C, it will locate a
SA, which is actually negotiated between A and B.
 
Thanks for your help,
 
Jin Zhang
Elmic Systems USA