[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Encapsulation of IPsec Datagrams - Performance Question
> Although I am still in the processes of studying IPsec, I have
> yet to find an answer to this question, although I know that it must
> be in the RFC's. Suppose that I want to encapsulate an IPsec
> datagram into another IPsec datagram. For example, if I ha ve a
> transport mode datagram inside of a tunnel mode datagram. Does the
> payload data get encrypted twice or only once? In other words, is
> ESP intelligent enough to determine that it doesn't need to spend
> CPU cycles encrypting the payload of tunnel mode if it is already
> encrypted?
No, it gets encrypted twice. This is a feature, not a bug.
For one, the transport-mode ipsec packet going into the tunnel may be
headed for a different destination than the tunnel endpoint.
- Bill