mailing list archives
RE: IPsec with ambiguous routing
From: "Braun, Mike" <MBraun () firstam com>
Date: Wed, 12 Feb 2003 11:04:10 -0800
When the IPsec tunnel is formed, traffic is sent between the IPsec
terminating equipment/client at the remote office and the VPN concentrator
located at the other end. The source and destination networks are not seen
while the data is encrypted over the WAN. Only through a configuration
error could the traffic be sent unencrypted from source to destination. It
makes no difference that you have multiple WAN links, or even that a
potential for an asymmetrical traffic flow exists. The source and
destination address as it appears in the WAN cloud always remains the same.
From: David Wilburn [mailto:dwilburn () mitre org]
Sent: Wednesday, February 12, 2003 10:40 AM
To: nanog () merit edu
Subject: IPsec with ambiguous routing
I've been attempting to beef up my knowledge of IPsec recently, and got
to thinking hypothetically about a *possible* problem with implementing
IPsec on larger networks. My experience with IPsec is currently limited
at best, so hopefully I can communicate this properly:
Let's assume that I have a large-ish network with multiple connections
to the Internet and ambiguous routing (meaning that a packet might come
in one gateway and the response packet might leave through a different
gateway). Let's also assume that I'd like to allow IPsec tunnels into
my network to allow single workstations and small networks to attach to
With such ambiguous routing, is my understanding correct that the
response traffic could potentially bypass the VPN concentrator
altogether and travel to the destination unencrypted?
Is there any best practices advice for dealing with IPsec on such a
network, or am I stuck with either "redesign your network architecture"
or "don't allow IPsec?" From what I can figure, those last two options
are my best bet, unless I want to allow lots of VPN concentrators deeper
within the network where the routing is less ambiguous.
Are there any solutions for quickly, reliably, and securely sharing
IPsec Security Association databases between gateways, so that the other
gateways would know to encrypt the traffic before letting it out?
Any other relevant thoughts, experiences, insults, rude gestures, etc.?
"MMS <firstam.com>" made the following
annotations on 02/12/03 11:04:13
"THIS E-MAIL MESSAGE AND ANY FILES TRANSMITTED HEREWITH, ARE INTENDED SOLELY FOR THE USE OF THE INDIVIDUAL(S) ADDRESSED
AND MAY CONTAIN CONFIDENTIAL, PROPRIETARY OR PRIVILEGED INFORMATION. IF YOU ARE NOT THE ADDRESSEE INDICATED IN THIS
MESSAGE (OR RESPONSIBLE FOR DELIVERY OF THIS MESSAGE TO SUCH PERSON) YOU MAY NOT REVIEW, USE, DISCLOSE OR DISTRIBUTE
THIS MESSAGE OR ANY FILES TRANSMITTED HEREWITH. IF YOU RECEIVE THIS MESSAGE IN ERROR, PLEASE CONTACT THE SENDER BY
REPLY E-MAIL AND DELETE THIS MESSAGE AND ALL COPIES OF IT FROM YOUR SYSTEM."