[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSEC tunnels for LAN-to-LAN interop issue



Lars,

>-----BEGIN PGP SIGNED MESSAGE-----
>
>  richard> To the other end of the tunnel, shouldn't it look like / be
>  richard> negotiated as tunnel-mode IPSEC?
>
>Can the remote end distinguish if a tunneled IPsec packet was created by IPIP
>encapsulation + IPsec transport mode or IPsec tunnel mode? In either case, the
>incoming SA will have to match on the outer header.

Yes, the outer header will be the same in either case, but transport mode
calls for matching SA selectors aginst the outer IP header and the
immdeiately following transport header (if port selectors are employed),
whereas tunnel mode calls for matching the selectors against the inner IP
and transport headers.  Thus the processing si different for each case.

Steve


Follow-Ups: References: