[c-nsp] vpn

Arturo Servin aservin at remoteconfig.net
Sat Sep 10 08:00:22 EDT 2005 

Brian McMahon wrote:

>Quoth Arturo Servin:
>  
>
>>    My mistake, the right question is:
>>
>>I also have a question. You can use AH or ESP but not both at the 
>>    
>>
>>>same time. ESP will authenticate and encrypt while AH will only authenticates. 
>>>Is it correct?
>>>      
>>>
>
>No.  You *can* use AH and ESP together, at least as far as the protocols 
>go.  It's just that, for most purposes, you wouldn't want to.  The only 
>thing that AH (and therefore AH+ESP) does that ESP doesn't is to extend 
>authentication to cover the outermost IP header.
>
>Using Ye Olde Typewriter Graphics, here's how it looks.  (Use monospaced 
>viewing font for best results.)  "e" is for encrypted, "a" is for 
>authenticated.
>
>ESP:
>
>                          |< - - encrypted - - >|
>+-----------+------------+eeeeeeeeeeeeeeee+eeeee--------+
>| IP header | ESP header | Protected data | ESP trailer |
>+-----------+aaaaaaaaaaaa+aaaaaaaaaaaaaaaa+aaaaa--------+
>             |< - - - - authenticated - - - - ->|
>
>AH:
>
>+-----------+-----------+----------------+
>| IP header | AH header | Protected data |
>+aaaaaaaaaaa+aaaaaaaaaaa+aaaaaaaaaaaaaaaa+
>|< - - - - - - authenticated - - - - - ->|
>
>(Adapted from figures 3.4 and 3.5 in the Doraswamy/Harkins IPsec book, 
>2nd edition.  RFC2406 distinguishes between the ESP trailer (protected) 
>and the ESP auth field (not), which is probably more detail than most 
>people really want or need.)
>
>So if, for example, "unable to survive NAT" is on your list of required 
>features, AH+ESP is your solution.  8-)
>
>Translating to the wonderfully baroque IOS config syntax, you implement 
>AH+ESP by specifying both AH and ESP transforms in the same transform 
>set (for example, crypto ipsec transform-set paranoid ah-sha-hmac 
>esp-des esp-sha-hmac).
>
>  
>
    Thanks for clarifying. I do not know we I got the idea that you can 
use either of them but not at the same time.

Thanks!!
-as

-- 

Remote Config, The Remote Configuration Company
http://www.remoteconfig.net
Global Service Offices
contact at remoteconfig.net

More information about the cisco-nsp mailing list