Steve, NHRP is used to resolve the remote peer which serves/owns the address we're interested in. The information in this resolution culminates in the creation of SPD.
Manish From: Stephen Kent <[email protected]<mailto:[email protected]>> Date: Wednesday, 6 November 2013 9:04 AM To: Manish Kumar <[email protected]<mailto:[email protected]>>, Mike Sullenberger <[email protected]<mailto:[email protected]>>, ipsec <[email protected]<mailto:[email protected]>> Subject: Re: [IPsec] AD VPN: discussion kick off Manish, Steve, To answer your question, the SPD entries are not already there, they are created as the result of a message exchange between the two spokes; it's the spokes that choose the policy, not the hub. If the SPDs were already there, every IPSec node in the network would need to know about all the networks in the overall topology apriori – to solve this is one of the main drivers of the whole exercise. This becomes even more complex if the hosts (not necessarily an IPSec node) acquire address dynamically and/or are mobile. So the spokes, while connected through the hub, exchange messages to cause SPD entries to be created. What protocol is used to do this? Steve p.s. please use the correct (vs.the Cisco-preferred?) spelling, i.e., IPsec, vs. IPSec.
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
