Re: [IPsec] Can one IPsec SA be established via two internet ports on one device?
Linda Dunbar <linda.dunbar@huawei.com> Mon, 19 November 2018 21:16 UTC
Return-Path: <linda.dunbar@huawei.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82222130DE8 for <ipsec@ietfa.amsl.com>; Mon, 19 Nov 2018 13:16:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9gdhDV4aE9SC for <ipsec@ietfa.amsl.com>; Mon, 19 Nov 2018 13:16:06 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEFB4130DE5 for <ipsec@ietf.org>; Mon, 19 Nov 2018 13:16:05 -0800 (PST)
Received: from lhreml708-cah.china.huawei.com (unknown [172.18.7.107]) by Forcepoint Email with ESMTP id 93A60578454F0 for <ipsec@ietf.org>; Mon, 19 Nov 2018 21:15:58 +0000 (GMT)
Received: from SJCEML701-CHM.china.huawei.com (10.208.112.40) by lhreml708-cah.china.huawei.com (10.201.108.49) with Microsoft SMTP Server (TLS) id 14.3.408.0; Mon, 19 Nov 2018 21:16:00 +0000
Received: from SJCEML521-MBX.china.huawei.com ([169.254.1.160]) by SJCEML701-CHM.china.huawei.com ([169.254.3.19]) with mapi id 14.03.0415.000; Mon, 19 Nov 2018 13:15:57 -0800
From: Linda Dunbar <linda.dunbar@huawei.com>
To: joel jaeggli <joelja@gmail.com>
CC: IPsecME WG <ipsec@ietf.org>
Thread-Topic: [IPsec] Can one IPsec SA be established via two internet ports on one device?
Thread-Index: AQHUgETzN+OjIGezU0mzBNgbBZ2EfqVXmQvQ
Date: Mon, 19 Nov 2018 21:15:57 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F66B1CBE26@sjceml521-mbx.china.huawei.com>
References: <4A95BA014132FF49AE685FAB4B9F17F66B1C8D3B@sjceml521-mbx.china.huawei.com> <06E267FB-9751-44FF-887D-E0A304A58C85@gmail.com>
In-Reply-To: <06E267FB-9751-44FF-887D-E0A304A58C85@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.120.13]
Content-Type: multipart/alternative; boundary="_000_4A95BA014132FF49AE685FAB4B9F17F66B1CBE26sjceml521mbxchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/gCINih6HNN7VGG-Ua8lUFCNdYiU>
Subject: Re: [IPsec] Can one IPsec SA be established via two internet ports on one device?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Nov 2018 21:16:09 -0000
Joel, Thanks for the help. When you said “IPs are sourced loopbacks that are part of a prefix exported to the the isp(s) in each site”, do you mean that the private Loopback addresses of CPE1 & CPE2 are routable in all four ISPs’ that connected to A1, A2, B1, B2? Linda From: joel jaeggli [mailto:joelja@gmail.com] Sent: Monday, November 19, 2018 2:18 PM To: Linda Dunbar <linda.dunbar@huawei.com> Cc: IPsecME WG <ipsec@ietf.org> Subject: Re: [IPsec] Can one IPsec SA be established via two internet ports on one device? On Nov 19, 2018, at 11:19, Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>> wrote: IPsec experts, In the following diagram, CPE1 has two internet ports, A1 by one service provider, A2 by another service provider. CPE2 also have two ports facing two different internet service providers Question: can I establish ONE IPsec SA between CPE1 & CPE2? (i.e. between 10.1.1.1 & 10.1.2.1)? But the actual packets sent out from A1 port has to use A1 as Source-Address, and using B1 or other public address as Destination address. If in your example the source and destination IPs are sourced loopbacks that are part of a prefix exported to the the isp(s) in each site then you could in fact have one association… If the CPEs are using a provider assigned ip for tunnel termination you’re going to need 4. We do the former all the time with sites multi-homed via bgp. Or is it necessary to have one IPsec SA between A1<->B1, one IPsec SA between A1<->B2, one IPsec SA between A2<->B1, and one IPsec SA between A2<->B2? <image001.png> Thanks, Linda Dunbar _______________________________________________ IPsec mailing list IPsec@ietf.org<mailto:IPsec@ietf.org> https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Can one IPsec SA be established via two i… Linda Dunbar
- Re: [IPsec] Can one IPsec SA be established via t… joel jaeggli
- Re: [IPsec] Can one IPsec SA be established via t… Linda Dunbar
- Re: [IPsec] Can one IPsec SA be established via t… Michael Richardson
- Re: [IPsec] Can one IPsec SA be established via t… Paul Wouters