Re: ESP and AH used in tunnel mode by a Security Gateway

[Stephen Kent <kent@bbn.com>]

Ben,

>You could do this.  However, you'll want to be a little more precise
>with your terminology.
>
>ESP and AH in tunnel mode:
>
>IP AH IP ESP IP DATA
>
>You probably intended to apply ESP in tunnel mode and AH in transport
>mode on top of that:

Steve cited an SG as the IPsec site in question, so transport mode is not
applicable, since ALL transit traffic SAs at an SG are tunnel mode.

>IP AH ESP IP DATA
>
>Note that in an ISAKMP negotiation, you would negotiate a single
>proposal containing an ESP transform with the tunnel mode attribute
>and an AH transform with the transport mode attribute.  (This is
>something we agreed to some time ago but which might not have made it
>into the docs yet.)

The arch doc does call for tunnel+transport mode support at hosts, not SGs.

Steve

---

Follow-Ups:

• Re: ESP and AH used in tunnel mode by a Security Gateway
• From: Ben Rogers <ben@ascend.com>

References:

• ESP and AH used in tunnel mode by a Security Gateway
• From: Stephen Waters <Stephen.Waters@digital.com>
• Re: ESP and AH used in tunnel mode by a Security Gateway
• From: Ben Rogers <ben@ascend.com>

---

• Prev by Date: Re: ESP and AH used in tunnel mode by a Security Gateway
• Next by Date: Re: ESP and AH used in tunnel mode by a Security Gateway
• Prev by thread: Re: ESP and AH used in tunnel mode by a Security Gateway
• Next by thread: Re: ESP and AH used in tunnel mode by a Security Gateway
• Index(es):
  • Main
  • Thread