When the IPsec tunnel is formed, traffic is sent between the IPsec terminating equipment/client at the remote office and the VPN concentrator located at the other end. The source and destination networks are not seen while the data is encrypted over the WAN. Only through a configuration error could the traffic be sent unencrypted from source to destination. It makes no difference that you have multiple WAN links, or even that a potential for an asymmetrical traffic flow exists. The source and destination address as it appears in the WAN cloud always remains the same. Best regards, Mike Braun -----Original Message----- From: David Wilburn [mailto:dwilburn@mitre.org] Sent: Wednesday, February 12, 2003 10:40 AM To: nanog@merit.edu Subject: IPsec with ambiguous routing I've been attempting to beef up my knowledge of IPsec recently, and got to thinking hypothetically about a *possible* problem with implementing IPsec on larger networks. My experience with IPsec is currently limited at best, so hopefully I can communicate this properly: Let's assume that I have a large-ish network with multiple connections to the Internet and ambiguous routing (meaning that a packet might come in one gateway and the response packet might leave through a different gateway). Let's also assume that I'd like to allow IPsec tunnels into my network to allow single workstations and small networks to attach to mine. With such ambiguous routing, is my understanding correct that the response traffic could potentially bypass the VPN concentrator altogether and travel to the destination unencrypted? Is there any best practices advice for dealing with IPsec on such a network, or am I stuck with either "redesign your network architecture" or "don't allow IPsec?" From what I can figure, those last two options are my best bet, unless I want to allow lots of VPN concentrators deeper within the network where the routing is less ambiguous. Are there any solutions for quickly, reliably, and securely sharing IPsec Security Association databases between gateways, so that the other gateways would know to encrypt the traffic before letting it out? Any other relevant thoughts, experiences, insults, rude gestures, etc.? Thanks! -Dave Wilburn "MMS <firstam.com>" made the following annotations on 02/12/03 11:04:13 ------------------------------------------------------------------------------ "THIS E-MAIL MESSAGE AND ANY FILES TRANSMITTED HEREWITH, ARE INTENDED SOLELY FOR THE USE OF THE INDIVIDUAL(S) ADDRESSED AND MAY CONTAIN CONFIDENTIAL, PROPRIETARY OR PRIVILEGED INFORMATION. IF YOU ARE NOT THE ADDRESSEE INDICATED IN THIS MESSAGE (OR RESPONSIBLE FOR DELIVERY OF THIS MESSAGE TO SUCH PERSON) YOU MAY NOT REVIEW, USE, DISCLOSE OR DISTRIBUTE THIS MESSAGE OR ANY FILES TRANSMITTED HEREWITH. IF YOU RECEIVE THIS MESSAGE IN ERROR, PLEASE CONTACT THE SENDER BY REPLY E-MAIL AND DELETE THIS MESSAGE AND ALL COPIES OF IT FROM YOUR SYSTEM." ==============================================================================