[strongSwan] IPSEC Processing on a Security Gateway
Andreas Steffen
andreas.steffen at strongswan.org
Sun Jan 9 00:21:32 CET 2011
Hello Bharat,
if you have an IPsec tunnel between Host A and Host B
and an IPsec tunnel between Gateway 1 and Gateway 2
then the Host-to-Host ESP packets will be encapsulated
by the Gateway-Gateway tunnel:
New IP | ESP | IP | ESP | Orig IP | UDP |
|<--inner tunnel-->|
|<------ outer tunnel ------->|
Regards
Andreas
On 01/08/2011 06:04 AM, Bharat S wrote:
> Hi all,
> I have a question regarding IPSec processing on Security Gateway (SEG).
> Consider a network as below.
>
>
> Host A ----------------------Gateway
> --------------------Gateway--------------------Host B
> 1 2
>
> If suppose the IPSec tunnel is required to be initiated from Host A to
> Host B, I was wondering how will the IPSec packets be
> processed on route to Host B. Lets say its ESP in tunnel mode. The
> packet from Host A to Gateway 1 would appear as below
>
>
> New IP | ESP | Orig IP | UDP
>
> My question is, when this packet is received on Gateway 1, will the ESP
> header of this packet be decrypted to form another ESP
> and the resulting packet going out would appear like
>
> New IP | ESP | Orig IP | UDP
>
>
> OR
>
> Or its the entire IP packet received is given as input to form another
> ESP packet.. And the resulting packet going out would appear like
>
> New IP | ESP | IP | ESP | Orig IP | UDP
> |<-----------hashed---------> |
>
>
> I hope you have got my question. Please correct me If am wrong at any
> place.. And would appreciate if you could guide me to some
> specification that explains the IPSec Processing on Gateways.
>
>
> Many Thanks,
> Bharat
>
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list