IETF Logo Mail Archive

[IPsec] Can one IPsec SA be established via two internet ports on one device?

Linda Dunbar <linda.dunbar@huawei.com> Mon, 19 November 2018 19:19 UTC

Return-Path: <linda.dunbar@huawei.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E532130DE2 for <ipsec@ietfa.amsl.com>; Mon, 19 Nov 2018 11:19:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XqRRje_fDVgQ for <ipsec@ietfa.amsl.com>; Mon, 19 Nov 2018 11:19:43 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB55F12F1AB for <ipsec@ietf.org>; Mon, 19 Nov 2018 11:19:42 -0800 (PST)
Received: from lhreml705-cah.china.huawei.com (unknown [172.18.7.107]) by Forcepoint Email with ESMTP id 2B530C3C8F231 for <ipsec@ietf.org>; Mon, 19 Nov 2018 19:19:37 +0000 (GMT)
Received: from SJCEML702-CHM.china.huawei.com (10.208.112.38) by lhreml705-cah.china.huawei.com (10.201.108.46) with Microsoft SMTP Server (TLS) id 14.3.408.0; Mon, 19 Nov 2018 19:19:38 +0000
Received: from SJCEML521-MBX.china.huawei.com ([169.254.1.160]) by SJCEML702-CHM.china.huawei.com ([169.254.4.63]) with mapi id 14.03.0415.000; Mon, 19 Nov 2018 11:19:33 -0800
From: Linda Dunbar <linda.dunbar@huawei.com>
To: IPsecME WG <ipsec@ietf.org>
Thread-Topic: Can one IPsec SA be established via two internet ports on one device?
Thread-Index: AdSAOsNUfG5n7pjTQrmo2gsquLVYHQ==
Date: Mon, 19 Nov 2018 19:19:32 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F66B1C8D3B@sjceml521-mbx.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.120.13]
Content-Type: multipart/related; boundary="_004_4A95BA014132FF49AE685FAB4B9F17F66B1C8D3Bsjceml521mbxchi_"; type="multipart/alternative"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/IMdGuGk2QcDGRgRUC7NyPpe_MgE>
Subject: [IPsec] Can one IPsec SA be established via two internet ports on one device?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Nov 2018 19:19:45 -0000

IPsec experts,

In the following diagram, CPE1 has two internet ports, A1 by one service provider, A2 by another service provider.
CPE2 also have two ports facing two different internet service providers

Question: can I establish ONE IPsec SA between CPE1 & CPE2? (i.e. between 10.1.1.1 & 10.1.2.1)?
But the actual packets sent out from A1 port has to use A1 as Source-Address, and using B1 or other public address as Destination address.

Or is it necessary to have one IPsec SA between A1<->B1, one IPsec SA between A1<->B2, one IPsec SA between A2<->B1, and one IPsec SA between A2<->B2?


[cid:image001.png@01D4800A.7F9B4EE0]

Thanks, Linda Dunbar

v2.23.0 | Report a Bug | By Email