Yoav Nir writes: > I agree. And whatever we may think of the particular solution, it does > present a problem that can and should be in the problem statement draft. > > So how about adding teh following sub-section: > > 3.7. Different IP addresses for IKE and IPsec > > In many implementations there are separate IP addresses for the > cluster, and for each member. While the packets protected by tunnel > mode child SAs are encapsulated in IP headers with the cluster IP > address, the IKE packets originate from a specific member, and carry > that member's IP address. For the peer, this looks weird, as the > usual thing is for the IPsec packets to come from the same IP address > as the IKE packets.
Normally all ESP packets also have the members IP address as their outer address, so there is no problem. Both IKE and ESP packets have same address (provided the IKE and Child SAs are located on the same cluster member). If the ESP packets have special handling that will change their outer source address to match cluster's IP address instead of individual member's IP address, then the same mechanims can easily be used for IKE SA too. > One obvious solution, is to use some fancy capability of the IKE host > to change things so that IKE packets also come out of the cluster IP > address. This can be achieved through NAT or through assigning > multiple addresses to interfaces. This is not, however, possible for > all implementations. I would expect this to be one of those very basic systems provided by the cluster, so if cluster implementationdoes not offer such setup, then it most likely does not offer that for Child SAs either, thus there is no problem, as both ESP and IKE will use same IP (i.e. member's own IP). We already have standard track mechanims for updating the outer address for both Child SAs and IKE (MOBIKE), so even when the cluster's outer IP address is used in normal case, the failover to another cluster member (using different IP address) is easy to do provided both the cluster member's share the same SA state. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
