[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ESP and AH used in tunnel mode by a Security Gateway
>>>>> "Stephen" == Stephen Waters <Stephen.Waters@digital.com> writes:
Stephen> I seem to remember asking this question before, but....
Stephen> Although not covered in the IPSEC architecture, is there any
Stephen> restriction on a Security Gateway
Stephen> applying both ESP and AH in tunnel mode?
Stephen> Thanks, Steve.
No, you may do so.
The combined transform was designed to reduce the overhead of doing this,
but you can explicitely do this.
A likely case where this happens is something like:
H--------SG1===========SG2-----G
<----- AH ---->
<-----------ESP--------->
SG2 has negotiated an AH tunnel with SG1, and an ESP tunnel with H.
:!mcr!: | Network and security consulting/contract programming
Michael Richardson | Firewalls, TCP/IP and Unix administration
Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>.
ON HUMILITY: To err is human, to moo bovine.
References: