Manish,
Steve,
To answer your question, the SPD entries are not already there, they
are created as the result of a message exchange between the two
spokes; it's the spokes that choose the policy, not the hub. If the
SPDs were already there, every IPSec node in the network would need to
know about all the networks in the overall topology apriori -- to
solve this is one of the main drivers of the whole exercise. This
becomes even more complex if the hosts (not necessarily an IPSec node)
acquire address dynamically and/or are mobile.
So the spokes, while connected through the hub, exchange messages to
cause SPD entries to be created. What protocol is used to do this?
Steve
p.s. please use the correct (vs.the Cisco-preferred?) spelling, i.e.,
IPsec, vs. IPSec.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
