Re: minor inconsistency in arch doc (maybe)

["Scott G. Kelly" <skelly@redcreek.com>]

Steve,

I guess I didn't really make myself clear - let me try again. First,
here's a simple schematic:

    H1-----SGW1-------SGW2----H2

In SGW1, I want to apply ESP tunnel mode to IP datagrams from H1 to H2.
Note that there may be other hosts on H1's net, and also on H2's net,
and I am including only H1 and H2 as reps of those nets for simplicity.
Now, in SGW1, I have the following policy entries, among others:

sourceIP      destIP     protocol    ports     SA parms
====================================================================
 H1's IP      H2's IP      *          *        ESP-tunnel,3DES,SHA1
 SGW1's IP    SGW2's IP    ESP        --       AH-transport,SHA1

An alternative policy set which produces a similar effect:

sourceIP      destIP     protocol    ports     SA parms
====================================================================
 H1's IP      H2's IP      ESP        *        AH-transport,SHA1

Note the use of ESP in the protocol field. My question: does this
violate the design intent of the architecture, or is the language I
quoted in my earlier post a bit misleading?

Scott

---

Follow-Ups:

• Re: minor inconsistency in arch doc (maybe)
• From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>

References:

• Re: minor inconsistency in arch doc (maybe)
• From: Stephen Kent <kent@bbn.com>

---

• Prev by Date: Paul Koning: Re: IBM VPN Bakeoff Issues
• Next by Date: Re: IBM VPN Bakeoff Issues
• Prev by thread: Re: minor inconsistency in arch doc (maybe)
• Next by thread: Re: minor inconsistency in arch doc (maybe)
• Index(es):
  • Main
  • Thread