[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IBM VPN Bakeoff Issues



>As I have mentioned in other recent messages, there was an explicit
>decision to not support the cominnation of AH +ESP in tunnel mode, as
>opposed to transport mode.  It was seen as redundant.  Thus I would agree
>with the other vendor's interpretation.

We have been here before, I know. My memory of that last discussion was that
customers had asked for AH+ESP tunnel.  Redundant or not, it was tested at
the workshop, and I don't feel like making it an implementation restriction
in our
product.  

For those that want to use AH+ESP tunnel adjacency,  I'll be
sending/expecting 
both AH and ESP to be expressed as tunnel mode :) 


>Well, remember that a bundle can apply to traffic terminating at two
>different endpoints, specifically the required combination of a tunnel SA
>to an SG with a transport SA to a host behind the SG.

It seems to me that some new terminology is needed here. This is a
'policy-bundle' and
the SA's to the remote SG and the remote host will not get negotiated in the
same 
IKE Phase-2.   I will do one phase one/two with the remote SG (perhaps
building an
SA-bundle for AH and ESP), and then another with the remote-host.  I could
then have two
SA-bundles, probably associated with different SPD policies, making it a
'policy-bundle' as 
far as the local SG is concerned (which terminates both SA-bundles in this
example).

Steve