[strongSwan] IPSEC Processing on a Security Gateway

Andreas Steffen andreas.steffen at strongswan.org
Tue Jan 11 04:10:07 CET 2011 

Hello Bharat,

no, you cannot do multiple ESP encryption or decryption on the same
host (at least not on Linux systems). Gateway-to-Gateway encryption
of an already encypted host-to-host tunnel works, though.

Regards

Andreas

On 09.01.2011 06:21, Bharat S wrote:
> Hi Andreas,
>                  Thanks for your reply. So if there exists a third IPSec
> tunnel from Gateway 2 to Host B,
> there would be 3 layers of encapsulation, right? That is first
> encapsulation for tunnel between Host A and 
> Gateway 1, second encapsulation between Gateway 1 and Gateway 2, and
> third encapsulation between
> Gateway 2 and Host B. So the packet received at Host B would appear
> something like
> 
> New IP | ESP | IP | ESP | IP | ESP | Orig IP | UDP
>                                           |<---------1st----------->|
>                            |<-----------------2nd----------------->|
>            |<--------------------------3rd------------------------->|
> 
> So I believe the IP Stack on Host B needs to decrypt the received packet
> 3 times to get the Original IP packet, right?
> 
> Please correct me if I am wrong.
> 
> 
> Thanks,
> Bharat
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> *From:* Andreas Steffen <andreas.steffen at strongswan.org>
> *To:* Bharat S <bharat.sarvan at yahoo.com>
> *Cc:* users at lists.strongswan.org
> *Sent:* Sun, January 9, 2011 4:51:32 AM
> *Subject:* Re: [strongSwan] IPSEC Processing on a Security Gateway
> 
> Hello Bharat,
> 
> if you have an IPsec tunnel between Host A and Host B
> and an IPsec tunnel between Gateway 1 and Gateway 2
> then the Host-to-Host ESP packets will be encapsulated
> by the Gateway-Gateway tunnel:
> 
>   New IP | ESP | IP | ESP | Orig IP |  UDP  |
>                           |<--inner tunnel-->|
>               |<------ outer tunnel ------->|
> 
> Regards
> 
> Andreas
> 
> On 01/08/2011 06:04 AM, Bharat S wrote:
>> Hi all,
>> I have a question regarding IPSec processing on Security Gateway (SEG).
>> Consider a network as below.
>>
>>
>> Host A ----------------------Gateway
>> --------------------Gateway--------------------Host B
>> 1 2
>>
>> If suppose the IPSec tunnel is required to be initiated from Host A to
>> Host B, I was wondering how will the IPSec packets be
>> processed on route to Host B. Lets say its ESP in tunnel mode. The
>> packet from Host A to Gateway 1 would appear as below
>>
>>
>> New IP | ESP | Orig IP | UDP
>>
>> My question is, when this packet is received on Gateway 1, will the ESP
>> header of this packet be decrypted to form another ESP
>> and the resulting packet going out would appear like
>>
>> New IP | ESP | Orig IP | UDP
>>
>>
>> OR
>>
>> Or its the entire IP packet received is given as input to form another
>> ESP packet.. And the resulting packet going out would appear like
>>
>> New IP | ESP | IP | ESP | Orig IP | UDP
>> |<-----------hashed---------> |
>>
>>
>> I hope you have got my question. Please correct me If am wrong at any
>> place.. And would appreciate if you could guide me to some
>> specification that explains the IPSec Processing on Gateways.
>>
>>
>> Many Thanks,
>> Bharat

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list