Vijay Devarapalli wrote: > I don't agree with the restriction that the original gateway and the > new gateway should have the same IDr. That is too restrictive. For > example, it should be possible for gw1 to redirect the client to > gw2, with the two gateways having two distinct FQDNs.
Right... but if the client does not have a PAD entry for gw2's IDr, then the IKE negotiation will fail. (I guess we're not considering updating the PAD based on REDIRECTs.) (BTW, note that "having same IDr" is not exactly the same thing as "having same FQDN" -- gw1.example.com and gw2.foobar.example are clearly distinct FQDNs from DNS-point-of-view, but they might or might not be distinct "principals" from IPsec PAD point of view.) > It is okay with me to recommend similar authentication mechanisms > for the original and new gateways. But I would prefer not use a > 'MUST' here. I think this needs to be phrased in terms of the RFC 4301 PAD (and possibly the "selecting right peer for SA function"). Best regards, Pasi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec