[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ESP and AH used in tunnel mode by a Security Gateway
Ben Rogers wrote:
>
> Stephen Waters <Stephen.Waters@digital.com> writes:
>
> > I seem to remember asking this question before, but....
> >
> > Although not covered in the IPSEC architecture, is there any
> > restriction on a Security Gateway
> > applying both ESP and AH in tunnel mode?
>
> You could do this. However, you'll want to be a little more precise
> with your terminology.
>
> ESP and AH in tunnel mode:
>
> IP AH IP ESP IP DATA
>
> You probably intended to apply ESP in tunnel mode and AH in transport
> mode on top of that:
>
> IP AH ESP IP DATA
>
> Note that in an ISAKMP negotiation, you would negotiate a single
> proposal containing an ESP transform with the tunnel mode attribute
> and an AH transform with the transport mode attribute. (This is
> something we agreed to some time ago but which might not have made it
> into the docs yet.)
>
> ben
I know it's a little weird but is there any spec againsts this:
IP ESP AH IP DATA
IP ESP AH DATA
Thanks,
Phuong
References: