i had a serious discussion with some technical folks regarding the Site-to-Site VPN parameter. and the scenario was, a new site to Site VPN tunnel is implemented between Site-A and Site-B. if the interesting traffic is not matching, whether the tunnel will be up?
i agree with the point that Phase 2 will not come up without successful Phase-1. We have encryption, Hash, PFS etc as parameter for Phase-2 negotiation. whether interesting traffic is a parameter for Phase-2 negotiation?
The reason for this question: interesting traffic configured in firewall-1 and firewall-2 are not identical, whether tunnel will be up with no tx/rx? or tunnel will not come-up since interesting traffic configured in both firewall is not matching.
RFC states this:
The identities of the SAs negotiated in Quick Mode are implicitly assumed to be the IP addresses of the ISAKMP peers, without any implied constraints on the protocol or port numbers allowed, unless client identifiers are specified in Quick Mode. If ISAKMP is acting as a client negotiator on behalf of another party, the identities of the parties MUST be passed as IDci and then IDcr. Local policy will dictate whether the proposals are acceptable for the identities specified. If the client identities are not acceptable to the Quick Mode responder (due to policy or other reasons), a Notify payload with Notify Message Type INVALID-ID-INFORMATION (18) SHOULD be sent.
How the IPSEC architecture is deployed in Checkpoint VPN?
thanks in advance.