[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IBM VPN Bakeoff Issues
>As I have mentioned in other recent messages, there was an explicit
>decision to not support the cominnation of AH +ESP in tunnel mode, as
>opposed to transport mode. It was seen as redundant. Thus I would agree
>with the other vendor's interpretation.
We have been here before, I know. My memory of that last discussion was that
customers had asked for AH+ESP tunnel. Redundant or not, it was tested at
the workshop, and I don't feel like making it an implementation restriction
in our
product.
For those that want to use AH+ESP tunnel adjacency, I'll be
sending/expecting
both AH and ESP to be expressed as tunnel mode :)
>Well, remember that a bundle can apply to traffic terminating at two
>different endpoints, specifically the required combination of a tunnel SA
>to an SG with a transport SA to a host behind the SG.
It seems to me that some new terminology is needed here. This is a
'policy-bundle' and
the SA's to the remote SG and the remote host will not get negotiated in the
same
IKE Phase-2. I will do one phase one/two with the remote SG (perhaps
building an
SA-bundle for AH and ESP), and then another with the remote-host. I could
then have two
SA-bundles, probably associated with different SPD policies, making it a
'policy-bundle' as
far as the local SG is concerned (which terminates both SA-bundles in this
example).
Steve