[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Encapsulation of IPsec Datagrams - Performance Question



Joel,

>	Although I am still in the processes of studying IPsec, I have yet
>to find an answer to this question, although I know that it must be in the
>RFC's.  Suppose that I want to encapsulate an IPsec datagram into another
>IPsec datagram.  For example, if I ha
>ve a transport mode datagram inside of a tunnel mode datagram.  Does the
>payload data get encrypted twice or only once?  In other words, is ESP
>intelligent enough to determine that it doesn't need to spend CPU cycles
>encrypting the payload of tunnel mode
> if it is already encrypted?

If encryption is called for in both transport and tunnel mode SPD entries,
then the data is encrypted twice, because that's what you specified.  If
you wanted something else to happen, you need to construct appropriate SPD
entries to reflect that.

Steve


References: