Re: IKE negotiation/rekeying problem with RSIP
"Mike Borella" <Mike_Borella@mw.3com.com> Mon, 15 November 1999 22:34 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id OAA22268; Mon, 15 Nov 1999 14:34:09 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id PAA20025 Mon, 15 Nov 1999 15:37:24 -0500 (EST)
X-Lotus-FromDomain: 3COM@3COM-MWGATE
From: Mike Borella <Mike_Borella@mw.3com.com>
To: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>
cc: ipsec@lists.tislabs.com
Message-ID: <8625682A.00727329.00@mwgate02.mw.3com.com>
Date: Mon, 15 Nov 1999 14:38:51 -0600
Subject: Re: IKE negotiation/rekeying problem with RSIP
Mime-Version: 1.0
Content-type: text/plain; charset="us-ascii"
Content-Disposition: inline
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Point (2): - IMO, IKE should be allowed to choose an ephemeral port just like any other application. Is there a reason why this isn't the case? - We currently specify exactly that - looking at i-cookies to differentiate clients. -Mike "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca> on 11/14/99 09:04:09 PM Sent by: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca> To: ipsec@lists.tislabs.com cc: (Mike Borella/MW/US/3Com) Subject: Re: IKE negotiation/rekeying problem with RSIP >>>>> "Saint-Hilaire," == Saint-Hilaire, Ylian <ylian.saint-hilaire@intel.com> writes: Saint-Hilaire,> There is a possible problem IKE initiation/rekeying over Saint-Hilaire,> RSIP. If two inner computers use an RSIP gateway to Saint-Hilaire,> establish IPsec sessions to one destination, the Saint-Hilaire,> destination computers will see 2 IKE phase1's from the 1) this in itself may be a problem for some gateways. Saint-Hilaire,> gateway. If the destination computer ever needs to rekey Saint-Hilaire,> a phase 2 or negotiate a new phase 2, he may select an Saint-Hilaire,> incorrect phase 1 to negotiate with. 2) worse, they can't both get UDP port 500. There are choices to resolve this: a) permit initiators to use other than port 500, and have the remote gateway respond to the correct port. b) have the gateway demux based upon cookies instead of port numbers. This makes the gateway aware of IKE, but it needs to know proto 50/51 anyway. :!mcr!: | Cow#1: Are you worried about getting Mad Cow Disease? Michael Richardson | Cow#2: No. I'm a duck. Home: <A HREF=" http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html ">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
- IKE negotiation/rekeying problem with RSIP Saint-Hilaire, Ylian
- Re: IKE negotiation/rekeying problem with RSIP Michael C. Richardson
- Re: IKE negotiation/rekeying problem with RSIP Mike Borella
- Re: IKE negotiation/rekeying problem with RSIP Tero Kivinen
- Re: IKE negotiation/rekeying problem with RSIP Mike Borella
- RE: IKE negotiation/rekeying problem with RSIP Saint-Hilaire, Ylian
- Re: IKE negotiation/rekeying problem with RSIP Scott G. Kelly
- Re: IKE negotiation/rekeying problem with RSIP Gabriel Montenegro
- Re: IKE negotiation/rekeying problem with RSIP Tero Kivinen
- Re: IKE negotiation/rekeying problem with RSIP Gabriel Montenegro
- Re: IKE negotiation/rekeying problem with RSIP Michael C. Richardson
- Re: IKE negotiation/rekeying problem with RSIP Tero Kivinen
- Re: IKE negotiation/rekeying problem with RSIP Michael C. Richardson
- Re: IKE negotiation/rekeying problem with RSIP Michael C. Richardson
- Re: IKE negotiation/rekeying problem with RSIP Gabriel Montenegro
- Re: IKE negotiation/rekeying problem with RSIP Mike Borella