Re: ESP and AH used in tunnel mode by a Security Gateway

[Ben Rogers <ben@ascend.com>]

Stephen Waters <Stephen.Waters@digital.com> writes:

> 	I seem to remember asking this question before, but....
> 
> 	Although not covered in the IPSEC architecture, is there any
> restriction on a Security Gateway
> 	applying both ESP and AH in tunnel mode?

You could do this.  However, you'll want to be a little more precise
with your terminology.

ESP and AH in tunnel mode:

IP AH IP ESP IP DATA

You probably intended to apply ESP in tunnel mode and AH in transport
mode on top of that:

IP AH ESP IP DATA

Note that in an ISAKMP negotiation, you would negotiate a single
proposal containing an ESP transform with the tunnel mode attribute
and an AH transform with the transport mode attribute.  (This is
something we agreed to some time ago but which might not have made it
into the docs yet.)


ben

---

Follow-Ups:

• Re: ESP and AH used in tunnel mode by a Security Gateway
• From: Phuong Nguyen <phuong@raleigh.ibm.com>
• Re: ESP and AH used in tunnel mode by a Security Gateway
• From: Daniel Harkins <dharkins@cisco.com>
• Re: ESP and AH used in tunnel mode by a Security Gateway
• From: Stephen Kent <kent@bbn.com>

References:

• ESP and AH used in tunnel mode by a Security Gateway
• From: Stephen Waters <Stephen.Waters@digital.com>

---

• Prev by Date: Re: Comments on "Hybrid Auth. mode for IKE"
• Next by Date: Target date and implementation ?
• Prev by thread: Re: ESP and AH used in tunnel mode by a Security Gateway
• Next by thread: Re: ESP and AH used in tunnel mode by a Security Gateway
• Index(es):
  • Main
  • Thread