[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ESP and AH used in tunnel mode by a Security Gateway
Steve,
Stephen Waters <Stephen.Waters@digital.com> writes:
> Ben,
>
> Having slept on this, I think I'm going to take a slightly different
> approach for the sake of the
> sanity of the folk configuring IPSEC.
>
> Since [IP AH IP ESP IP DATA] isn't of much use, my configuration
> tool asks if a given policy
> will apply tunnel OR transport mode. If for a tunnel mode policy,
> both ESP and AH are specified,
> I will interpret that as meaning [IP AH ESP IP DATA] - I don't
> really want to have to explain in
> the documentation that if you want a tunnel to be protected with ESP
> and AH, ESP needs to be
> specified as tunnel-mode and AH as transport mode!
This is exactly the approach that I would recommend taking. There is
no need to make things difficult on the user (unless you get a
sadistic thrill from taunting them...).
> If this means I'll have to play tricks at the IKE API, then I'll
> live with that.
I guess this depends on who designed your API and how forward-looking
they were. I'm more concerned about what will get passed on the wire,
and hope that we can agree to a combined proposal with both AH and ESP
having tunnel attributes.
> Sound reasonable?
Sure.
ben
References: