Re: Asymetric IPSec transform sets - Inbound vs Outbound from Sadiq Yakasai on 2009-05-22 (Ccielab archives 05/2009)

From: Sadiq Yakasai <sadiqtanko_at_gmail.com>
Date: Fri, 22 May 2009 16:45:09 +0100

Thanks Pieter!

On Thu, May 21, 2009 at 6:38 PM, Pieter-Jan Nefkens <
pjnefkens_at_nefkensadvies.nl> wrote:

> Hi Sadiq.
>
> If it's just plain IPSEC, I doubt that you can use asymmetric transform
> sets..
>
> Basically in the Phase2 negotation, the first transformset is offered (or
> both) to the peer. The peer lists its transform sets and selects the first
> one that matches. Comparible with the ISAKMP phase 1 policies..
>
> However.. If you would not use ISAKMP, but manual keying, you might have
> something. But if I remember correctly, with a VPN everything must match at
> both sites, PFS, DH, access-list (with the exception of one peer trying to
> connect to the other which has a super-set acl configured)
>
> How would that go with rekeying? And what if the acl consist of more than
> one entry. My guess, also for the hardware acceleration is that the crypto
> map only uses one transform set for both inbound and outbound spi's. If you
> do a debug crypto isakmp you can see that. The only thing that is different
> between the two sa's is the key, and where it is generated. DH makes sure
> that the dynamic symmetric key is not sent over the wire...
>
>
> Pieter-Jan
>
>
>
> On 21 mei 2009, at 15:42, Sadiq Yakasai wrote:
>
> Guys,
>>
>> So, I think i'm spending too much time in the books and theories, but I
>> gather that its possible to configure different transform sets for the
>> Phase
>> 2 SA's ( inbound vs outbound)...with repect to the tunnel endpoints.
>>
>> So is this really possible? First try didnt go successful, but looking at
>> it
>> again, I have a few doubts that might need clearing up.
>>
>> So in total, on each peer, how many transform sets do I need (if this
>> convolution is even possible to begin with)? 2 on each side (while
>> swapping
>> the ordering of how they are bound to the crypto map?) thereby making them
>> asymetric sort of?
>>
>> Thanks in advance as usual,
>> Sadiq
>>
>> --
>> CCIE #19963
>>
>>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net

Received on Fri May 22 2009 - 16:45:09 ART

This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 07:04:43 ART