[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Is tunnel IP address included in SA?



Motonori,

>Please let me ask some very primitive questions.
>
>Let's suppose the following network:
>
>      |                               |
> PC1 -+                               +- PC2
>      |         (Internet)            |
>      +-- R1 --- ......... --- R2 ----+
>      |                               |
>
>Assume that R1 and R2 can do IPsec while PC1 and PC2 can't. PC1 sends
>an IP datagram to PC2.
>
>In this case,
>
> (1) R1 has to have an SA associated with PC2, right?

Ther has to be an SA from R1 to R2 over which traffic from PC1 to PC2 can
be carried.

> (2) Must AH and ESP be handled in tunnel mode?

Yes, all SAs involving a gateway must be tunnel mode SAs

> (3) How can one figure out the tunnel IP address for a paticular
>     destination address? Is Tunnel IP address included in SA?

Good question!  We require manual configuration initially, and defer
automated forms of discovery for R2 to a later document.

Steve




References: