[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Transport / Tunnel Mode
Hi,
First of all I would like to correct you for your
question. Whatever has been mentioned by you is in RFC 2401 and not 2402 as you
have mentioned and under section 4.1.
Now
taking up your question, let us take this topology. PC1 is a host in Network 1
with GW1 as the Security Gateway. The Network (Network 1) is also reachable
through R1. Similarly, PC2 is a host in Network 2 with GW2 as the Security
Gateway. The Network (Network 2) is also reachable through R2.
Now
when PC2 sends a packet to PC1, which has to be protected by IPSec, GW2
(security GW for Network 2) will provide the IPSec security. If it is using
Transport mode SA, then the packet will look like [IP][IPSEC Header][ULP]. (
This is with reference to RFC 2401 only ) Note that the IP contains the IP
address of PC2 as source address and PC1 as the destination address. This packet
has to be routed to Network 1. Network 1 is reachable through GW1 and R1. Due to
the routing decisions, if the packet is routed through R1 ( Note that R1 is not
the security gateway for PC1), seeing the address as PC1, R1 will forward the
packet to PC1, which is not at all capable to understanding the IPSec protected
packets.
To
avoid this type of situation, if the packets are tunneled, after IPSec
processing by GW2, packet will look like
[IPo][IPSec][IPi][ULP], where IPo is the outer IP header containing GW1 as the
destination and GW2 as the source. This makes sure that the packet will reach
GW1, so that it can provide the necessary IPSec processing and forward the
packet to PC1.
Any
comments regarding this is most welcome.
Regards,
Awan.
Hi
As per RFC 2402 under 1 i.e. definition
and scope
" The requirement for any (transit
traffic) SA involving a
security gateway to be a tunnel SA arises due to
the need to avoid
potential problems with regard to fragmentation and
reassembly of
IPsec packets, and in circumstances where multiple paths
(e.g., via
different security gateways) exist to the same destination
behind the
security gateways. "
Can any one please explain , How we can avoid
fragmentation / ressembly in
tunnel mode and why it is not possible in
transport mode .
WHY IN SECURITY GATEWAY IT IS REQUIRED TO USE
TUNNEL
MODE ONLY ??
Cheers
Akshay
Follow-Ups:
References: