Re: mutiple phase 1 tunnel and proxy ID issues

[Stephen Kent <kent@bbn.com>]

Cliff,

>I totally agree what you have replied in the mail.  Actually
>my question is that if user name instead of IP address is
>used in the ID payload of phase 2 negotiation, even if
> a Phase 2 SA is negotiated successfully, we cannot
>create a SPD entry since user ID cannot be used to
>process packet. We need to turn that ID into address
>in order to create a SPD entry. But I am not sure how
>to map that ID into an IP address. This is a practical case
>when two mobile user logs into two different ISP box,
>get a dynamic address and they want to have their
>data traffic protected. The ISP boxes's policy can only be
>configured with the mobile user's ID, since their
>address are dynamically assigned. The ISP boxes
>can negotiate a Phase 2 SA with ID, but then they
>somehow need to exchange user ID to IP address
>mapping to each other. Otherwise SPD entry can not be
>created.

Sorry.  I forgot to address that important detail.  The address for the
remote peer should be acquired from the inner IP header (it's a security
gateway, so we must be using tunnel mode) of the client traffic. It would
be cleaner if IKE expressly stated the address, but lacking that one can
grab the first inbound packet for the SA (it must come from the remote peer
since the SG and the clients behind it don't know the address yet) and
extract the address to fill in the SPD and SAD entries re the IP address
selectors.  Other selectors, if applicable, could have been filled in from
the name-based SPD entry.

Steve