Hello Bharat, no, you cannot do multiple ESP encryption or decryption on the same host (at least not on Linux systems). Gateway-to-Gateway encryption of an already encypted host-to-host tunnel works, though.
Regards Andreas On 09.01.2011 06:21, Bharat S wrote: > Hi Andreas, > Thanks for your reply. So if there exists a third IPSec > tunnel from Gateway 2 to Host B, > there would be 3 layers of encapsulation, right? That is first > encapsulation for tunnel between Host A and > Gateway 1, second encapsulation between Gateway 1 and Gateway 2, and > third encapsulation between > Gateway 2 and Host B. So the packet received at Host B would appear > something like > > New IP | ESP | IP | ESP | IP | ESP | Orig IP | UDP > |<---------1st----------->| > |<-----------------2nd----------------->| > |<--------------------------3rd------------------------->| > > So I believe the IP Stack on Host B needs to decrypt the received packet > 3 times to get the Original IP packet, right? > > Please correct me if I am wrong. > > > Thanks, > Bharat > > > > > > ------------------------------------------------------------------------ > *From:* Andreas Steffen <[email protected]> > *To:* Bharat S <[email protected]> > *Cc:* [email protected] > *Sent:* Sun, January 9, 2011 4:51:32 AM > *Subject:* Re: [strongSwan] IPSEC Processing on a Security Gateway > > Hello Bharat, > > if you have an IPsec tunnel between Host A and Host B > and an IPsec tunnel between Gateway 1 and Gateway 2 > then the Host-to-Host ESP packets will be encapsulated > by the Gateway-Gateway tunnel: > > New IP | ESP | IP | ESP | Orig IP | UDP | > |<--inner tunnel-->| > |<------ outer tunnel ------->| > > Regards > > Andreas > > On 01/08/2011 06:04 AM, Bharat S wrote: >> Hi all, >> I have a question regarding IPSec processing on Security Gateway (SEG). >> Consider a network as below. >> >> >> Host A ----------------------Gateway >> --------------------Gateway--------------------Host B >> 1 2 >> >> If suppose the IPSec tunnel is required to be initiated from Host A to >> Host B, I was wondering how will the IPSec packets be >> processed on route to Host B. Lets say its ESP in tunnel mode. The >> packet from Host A to Gateway 1 would appear as below >> >> >> New IP | ESP | Orig IP | UDP >> >> My question is, when this packet is received on Gateway 1, will the ESP >> header of this packet be decrypted to form another ESP >> and the resulting packet going out would appear like >> >> New IP | ESP | Orig IP | UDP >> >> >> OR >> >> Or its the entire IP packet received is given as input to form another >> ESP packet.. And the resulting packet going out would appear like >> >> New IP | ESP | IP | ESP | Orig IP | UDP >> |<-----------hashed---------> | >> >> >> I hope you have got my question. Please correct me If am wrong at any >> place.. And would appreciate if you could guide me to some >> specification that explains the IPSec Processing on Gateways. >> >> >> Many Thanks, >> Bharat ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
