[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPComp CA and IPsec SA negotiations
Joachim,
From following the interoperabilty tests of IPComp
in the context of IPsec, it seems that very few implementations
support the negotiation of a standalone IPComp, and most
support the negotiation with ESP in a Protection Suite,
i.e. a bundle.
Regards,
avram
Joachim Abrahmsén wrote:
> We're about to implement support for compression into our VPN-product,
> but can't quite figure out how to extend the IKE negotiation in order to
> include IPComp.
>
> RFC 3173 section 4.1 says
> "For IPComp in the context of IP Security, IKE provides the necessary
> mechanisms and guidelines for establishing IPCA. Using IKE, IPComp
> can be negotiated as stand-alone or in conjunction with other IPsec
> protocols."
>
> What I want is to _use_ IPComp in conjuntion with other IPsec (in my
> case ESP) protocols.
>
> If I interpret this correctly I may do it either way; negotiating them
> as two separate SA, possibly as two SA payloads in the same QM
> negotiation, or as a SA boundle with ESP and IPComp in the same
> proposal.
> I would prefer to negotiate them separately, since I don't wan't the
> whole negotiation to fail because the peer doesn't support IPComp, and I
> would prefer not to duplicate my proposals (with and without IPComp).
>
> What is common practise?
>
> Thanks in advance
>
> -Joachim
>
>
>
>