[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AH (without ESP) on a secure gateway
Pau-Chen wrote:
> I have a question triggered by the discussion :
>
> If two firewalls (gateways), IDii and IDir, did a successful ISAKMP
> phase-II proxy negotiation for IDui and IDur. Then, which one is the
> right usage of the SA resulting from the negotiation :
>
> 1. The SA is shared between IDii and IDir (the gateways), and IDii
> IDir are performing IPSEC protection on traffic between IDui and
> IDur. In this case, IDui and IDur are unware of the IPSEC
> protection.
>
> 2. The SA is shared between IDui and IDur and IDui and IDur perform
> IPSEC by themselves. IDii and IDir (the gateways) become more or less
> (IPSEC) transparent.
Number one is the correct usage.
Dan.