[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC tunnels for LAN-to-LAN interop issue

To: ipsec@lists.tislabs.com
Subject: Re: IPSEC tunnels for LAN-to-LAN interop issue
From: Dan Harkins <dharkins@network-alchemy.com>
Date: Thu, 26 Aug 1999 15:33:05 -0700
In-reply-to: Your message of "Thu, 26 Aug 1999 14:00:47 PDT." <199908262100.OAA00933@potassium.network-alchemy.com>
Sender: owner-ipsec@lists.tislabs.com

On Thu, 26 Aug 1999 14:00:47 PDT I wrote
> > 
> > That was my understanding for the sending side when an outgoing packet is
> > tunneled. However, on the incoming side, the SA selectors must match agains
>t
> > the outer header, because inner header and transport layer may be
> > encrypted. Or am I missing something? If this is correct, I still think the
>re
> > is an ambiguity as to who is responsible for decapsulation.
> 
> The selectors don't apply at that stage on the inbound side. The SA is 
> looked up against the SPI, protocol (which would be 4), and destination
                                      ^^^^^^^^^^^^^^^^^^

BBBZZZzzzttt! Wrong answer! Protocol is the IPSec protocol (AH or ESP),
not the protocol of the protected packet. 

  Dan.

References:

Re: IPSEC tunnels for LAN-to-LAN interop issue

From: Dan Harkins <dharkins@network-alchemy.com>

Prev by Date: Re: IPSEC tunnels for LAN-to-LAN interop issue
Next by Date: RE: IPSEC tunnels for LAN-to-LAN interop issue
Prev by thread: Re: IPSEC tunnels for LAN-to-LAN interop issue
Next by thread: RE: IPSEC tunnels for LAN-to-LAN interop issue
Index(es):
- Main
- Thread