[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: ESP and AH used in tunnel mode by a Security Gateway
Ben,
Having slept on this, I think I'm going to take a slightly different
approach for the sake of the
sanity of the folk configuring IPSEC.
Since [IP AH IP ESP IP DATA] isn't of much use, my configuration
tool asks if a given policy
will apply tunnel OR transport mode. If for a tunnel mode policy,
both ESP and AH are specified,
I will interpret that as meaning [IP AH ESP IP DATA] - I don't
really want to have to explain in
the documentation that if you want a tunnel to be protected with ESP
and AH, ESP needs to be
specified as tunnel-mode and AH as transport mode!
If this means I'll have to play tricks at the IKE API, then I'll
live with that.
Sound reasonable?
Steve.
> ----------
> From: Ben Rogers[SMTP:ben@ascend.com]
> Sent: Thursday, July 23, 1998 6:58 PM
> To: Stephen Waters
> Cc: ipsec@tis.com
> Subject: Re: ESP and AH used in tunnel mode by a Security Gateway
>
> Stephen Waters <Stephen.Waters@digital.com> writes:
>
> > I seem to remember asking this question before, but....
> >
> > Although not covered in the IPSEC architecture, is there any
> > restriction on a Security Gateway
> > applying both ESP and AH in tunnel mode?
>
> You could do this. However, you'll want to be a little more precise
> with your terminology.
>
> ESP and AH in tunnel mode:
>
> IP AH IP ESP IP DATA
>
> You probably intended to apply ESP in tunnel mode and AH in transport
> mode on top of that:
>
> IP AH ESP IP DATA
>
> Note that in an ISAKMP negotiation, you would negotiate a single
> proposal containing an ESP transform with the tunnel mode attribute
> and an AH transform with the transport mode attribute. (This is
> something we agreed to some time ago but which might not have made it
> into the docs yet.)
>
>
> ben
>
Follow-Ups: