[strongSwan] IPSEC Processing on a Security Gateway

Bharat S bharat.sarvan at yahoo.com
Sun Jan 9 06:21:48 CET 2011 

Hi Andreas,
                 Thanks for your reply. So if there exists a third IPSec tunnel 
from Gateway 2 to Host B,
there would be 3 layers of encapsulation, right? That is first encapsulation for 
tunnel between Host A and 
Gateway 1, second encapsulation between Gateway 1 and Gateway 2, and third 
encapsulation between
Gateway 2 and Host B. So the packet received at Host B would appear something 
like

New IP | ESP | IP | ESP | IP | ESP | Orig IP | UDP
                                          |<---------1st----------->|
                           |<-----------------2nd----------------->|
           |<--------------------------3rd------------------------->|

So I believe the IP Stack on Host B needs to decrypt the received packet 3 times 
to get the Original IP packet, right?

Please correct me if I am wrong.


Thanks,
Bharat







________________________________
From: Andreas Steffen <andreas.steffen at strongswan.org>
To: Bharat S <bharat.sarvan at yahoo.com>
Cc: users at lists.strongswan.org
Sent: Sun, January 9, 2011 4:51:32 AM
Subject: Re: [strongSwan] IPSEC Processing on a Security Gateway

Hello Bharat,

if you have an IPsec tunnel between Host A and Host B
and an IPsec tunnel between Gateway 1 and Gateway 2
then the Host-to-Host ESP packets will be encapsulated
by the Gateway-Gateway tunnel:

  New IP | ESP | IP | ESP | Orig IP |   UDP  |
                          |<--inner tunnel-->|
               |<------ outer tunnel ------->|

Regards

Andreas

On 01/08/2011 06:04 AM, Bharat S wrote:
> Hi all,
> I have a question regarding IPSec processing on Security Gateway (SEG).
> Consider a network as below.
>
>
> Host A ----------------------Gateway
> --------------------Gateway--------------------Host B
> 1 2
>
> If suppose the IPSec tunnel is required to be initiated from Host A to
> Host B, I was wondering how will the IPSec packets be
> processed on route to Host B. Lets say its ESP in tunnel mode. The
> packet from Host A to Gateway 1 would appear as below
>
>
> New IP | ESP | Orig IP | UDP
>
> My question is, when this packet is received on Gateway 1, will the ESP
> header of this packet be decrypted to form another ESP
> and the resulting packet going out would appear like
>
> New IP | ESP | Orig IP | UDP
>
>
> OR
>
> Or its the entire IP packet received is given as input to form another
> ESP packet.. And the resulting packet going out would appear like
>
> New IP | ESP | IP | ESP | Orig IP | UDP
> |<-----------hashed---------> |
>
>
> I hope you have got my question. Please correct me If am wrong at any
> place.. And would appreciate if you could guide me to some
> specification that explains the IPSec Processing on Gateways.
>
>
> Many Thanks,
> Bharat
>

======================================================================
Andreas Steffen                        andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110108/36fb83dc/attachment.html>

More information about the Users mailing list