Skip to main content
IBM 
ShopSupportDownloads
IBM HomeProductsConsultingIndustriesNewsAbout IBM
IBM : developerWorks : Security : Education - online courses
Virtual private networks, Part 2		Download tutorial zip fileView letter-sized PDF fileView A4-sized PDF fileE-mail this tutorial to a friend
Main menuSection menuGive feedback on this tutorialPreviousNext
3. Encapsulating Security Protocol
  


Combined use of AH and ESP I page 10 of 11


As mentioned, AH and ESP can be applied alone or used in combination. Interestingly, AH and ESP SAs don't have to have the identical endpoints. If this is to be the case, at least one level of tunneling must be incorporated into the SA.

There are two approaches for an SA bundle creation:

  • Transport adjacency: Both security protocols are applied in transport mode to the same IP datagram. This method is practical for only one level of combination.
  • Iterated (nested) tunneling: The security protocols are applied in tunnel mode in sequence. After each application, a new IP datagram is created and the next protocol is applied to it. This method has no limit in the nesting levels. However, using more than three levels of nesting has proven to be impractical.

It's possible to combine the approaches. For example, an IP packet with transport adjacency IPSec headers can be sent through a nested tunnel.


Main menuSection menuGive feedback on this tutorialPreviousNext
PrivacyLegalContact