none
Reusing an IPsec SA context? RRS feed

  • Question

  • Hello,

    In certain deployment scenarios it is necessary to create one SA bundle between the local host and a remote host, then use the same SA for different blanket policies (such as "require IPsec for all traffic to any remote address with remote port number XYZ").

    In order to implement this on WFP:
    1. Is it possible to reuse an SA context (and the SA bundles contained therein) for another policy?
    2. If it is possible, which API functions should be used?
    Cheers,
    Eugene
    Tuesday, March 4, 2008 8:28 PM

Answers

  • No this is not possible in Vista. Next version of Windows may expose some SA update APIs that will let you change the traffic it protects but you gotta remember that you have to do this manually at both ends and cannot use a Keying Module. The whole question make sense to ask only in the context of manual SAs

     

    Hope that helps

    Thanks

     

    Tuesday, March 25, 2008 10:31 PM

All replies

  • If I understand you scenario: the policy to secure all traffic between X and Y resulted in creation of an SA pair between X and Y. Now if you send a packet from X to Z (which is also be secured by another IPsec policy) and want APIs to have the original SA now protect this traffic. That is not supported.

     

    SAs are a contract between 2 peers to protect a certain set of traffic selectors (5 tuple) between them. During setup they go about negotiating these traffic selectors.

    Subesequently one of the endpoints cannot unilaterally change the traffic selectors it's SAs protects.

    Hope that helps.

     

    Thanks

    Gaurav

    Wednesday, March 5, 2008 6:55 PM
  • I'm sorry for having been unclear, but no, unfortunately that's not what I meant.  It is about reusing the same SA between machine X and Y for different policies, say "secure all traffic with local and remote port number A" and "secure all traffic with local and remote port number B".

    I'm wondering if there is a way to reuse the same SA for securing X:A <-> Y:A and X:B <-> Y:B.  Both flows belong to the same pair of hosts, just different port numbers (and different policy).

    Regards,
    Eugene
    Friday, March 7, 2008 2:24 AM
  • No this is not possible in Vista. Next version of Windows may expose some SA update APIs that will let you change the traffic it protects but you gotta remember that you have to do this manually at both ends and cannot use a Keying Module. The whole question make sense to ask only in the context of manual SAs

     

    Hope that helps

    Thanks

     

    Tuesday, March 25, 2008 10:31 PM