[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ESP and AH used in tunnel mode by a Security Gateway



Ben Rogers wrote:
> 
> Stephen Waters <Stephen.Waters@digital.com> writes:
> 
> >       I seem to remember asking this question before, but....
> >
> >       Although not covered in the IPSEC architecture, is there any
> > restriction on a Security Gateway
> >       applying both ESP and AH in tunnel mode?
> 
> You could do this.  However, you'll want to be a little more precise
> with your terminology.
> 
> ESP and AH in tunnel mode:
> 
> IP AH IP ESP IP DATA
> 
> You probably intended to apply ESP in tunnel mode and AH in transport
> mode on top of that:
> 
> IP AH ESP IP DATA
> 
> Note that in an ISAKMP negotiation, you would negotiate a single
> proposal containing an ESP transform with the tunnel mode attribute
> and an AH transform with the transport mode attribute.  (This is
> something we agreed to some time ago but which might not have made it
> into the docs yet.)
> 
> ben

I know it's a little weird but is there any spec againsts this:

IP ESP AH IP DATA
IP ESP AH DATA

Thanks,
Phuong


References: