Hi, Please find here the new draft on multiple IPsec interfaces. From comments of IETF86, we do not create multiple VPNs on each interfaces from a single IKEv2 channel. Instead we keep a single IKEv2 channel for each VPN.
To create VPNs on multiple interfaces, we first create parallel IKEv2 (and associated VPNs). These VPNS are using the same interfaces.Then the additional IKEv2 channel (and associated VPN) are moved to the proper interface using MOBIKE. We believe the changes IPsec are minors. Feel free to make comments! URL: http://www.ietf.org/internet-drafts/draft-mglt-ipsecme-keep-old-ike-sa-00.txt Best Regards, Daniel ---------- Forwarded message ---------- From: <[email protected]> Date: Fri, Jul 5, 2013 at 12:15 PM Subject: New Version Notification for draft-mglt-ipsecme-keep-old-ike-sa-00. txt To: Daniel Migault <[email protected]> A new version of I-D, draft-mglt-ipsecme-keep-old-ike-sa-00.txt has been successfully submitted by Daniel Migault and posted to the IETF repository. Filename: draft-mglt-ipsecme-keep-old-ike-sa Revision: 00 Title: KEEP_OLD_IKE_SA Extension Creation date: 2013-07-05 Group: Individual Submission Number of pages: 14 URL: http://www.ietf.org/internet-drafts/draft-mglt-ipsecme-keep-old-ike-sa-00.txt Status: http://datatracker.ietf.org/doc/draft-mglt-ipsecme-keep-old-ike-sa Htmlized: http://tools.ietf.org/html/draft-mglt-ipsecme-keep-old-ike-sa-00 Abstract: This document considers a VPN Client setting a VPN with a security gateway where at least one of the peer has multiple interfaces. With the current IKEv2, the outer IP addresses of the VPN are determined by those used by IKEv2 channel. As a result using multiple interface requires to set an IKEv2 channel on each interface, and then on each paths if both the VPN Client and the security gateway have multiple interfaces. Setting multiple IKEv2 channel involves multiple authentications which MAY each require multiple round trips and delay the VPN establishment. In addition multiple authentications unnecessarily load the VPN client and the authentication infrastructure. This document presents the KEEP_OLD_IKE_SA extension, where an additional IKEv2 channel from an already authenticated IKEv2 channel. The newly created IKEv2 channel is set without the IKEv2 authentication exchange. The newly created IKEv2 channel can then be assigned to another interface using MOBIKE. The IETF Secretariat -- Daniel Migault Orange Labs -- Security +33 6 70 72 69 58
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
