[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: routing and outbound.
A packet would go through both inbound and outbound ipsec processing only
if a tunnel is being terminated at the router and a new tunnel is being initiated
from the router on the same packet stream. I would guess this would constitute
a hop by hop IPsec.
Typically, you would perform:
Inbound processing, Routing OR
Outbound processing, Routing
In the cases you mention you assume that routing has to be
performed once. That may not be necessarily valid. It all depends
on your design.
One possibility could be that SPD rule processing tells you whether
(Inbound or Outbound) IPsec processing is needed or whether Routing
is needed. Here you could get by with just one routing iteration.
Other possibility could be you receive a packet on an IPsec enabled
interface. It goes through inbound IPsec processing. Comes out and gets
routed to another interface. Depending on whether the outgoing interface
is IPsec enabled or not the packet goes through another round of IPsec
processing and routing. That would be close to case 2- you mentioned.
I am sure there are other ways to do it too.
Then nesting of tunnels can add another complexity to take care of.
--Atul
In a message dated 11/25/2001 4:59:13 PM Eastern Standard Time, mahdavi110@yahoo.com writes:
Hi Lars Eggert.
No. I am trying to design an IPSEC armed router. A router acts as a
security gateway so it usese tunnel mode not tronsport.
Now my question is if there is a router that has some interfaces and these
interfaces may be IPSEC armed or not, now which is the correct
configuration, case 1 , 2 or 3? which one? or there may be other way ?
and what do you mean by hop-by-hop IPSEC ?
Follow-Ups: