Thank you for the reply Ankit. On 10/25/2018 10:43 PM, Sinha, Ankit Kumar (HPE Aruba) wrote:
SELECTOR and UPSEC in state (SA) is an optional parameter.
That's what I thought.
If one want to configure it for state it must match with what is given in policy SELECTOR and UPSEC.
Is it possible to have the SELECTOR and UPSEC more specific on the state (SA) than on the policy?
I.e. SELECTOR / UPSEC that specify a protocol (and possibly ports) when the policy just matches source / destination?
Granted, I don't think I would want to do this. I'm just wondering if it's possible. (I've obviously not tested yet.)
I'm trying to understand what is possible and why someone might choose to do something, or not. Motivations vs possibility.
You can very well use same state (SA) for multiple policy if you don't specify SELECTOR for state.
That's what I thought was the case. Thank you for confirming.
As per understanding SELECTOR and UPSEC options in state (SA) is given to make it more specific to policy.
I agree that such is possible. I'm trying to understand why someone would want to do that. It's my understanding that the policy specifies the state (SA) via the reqid. As such, it's not a possibility that the wrong state (SA) can be used. Thus I don't see the need for the additional SELECTOR / UPSEC in the state (SA).
-- Grant. . . . unix || die
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature