Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
880
Views
0
Helpful
2
Replies

IPsec

Go to solution
cool rohan
Level 1
Level 1

‎07-22-2017 07:38 AM - edited ‎02-21-2020 09:22 PM

The IP Security Protocol (IPsec)

IPsec requires the negotiation of a unique SA for each direction of the IPsec tunnel and for each protocol used (AH, ESP, or combination thereof).

I don't understand the meaning of this line. 

Ipsec requires the negotiation of a unique SA for each direction of the IPsec tunnel this is understand

But the second one

Ipsec requires the negotiation of a unique SA for each protocol used(AH,ESP). this i don't understand.

Can anybody please explain?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎07-22-2017 07:46 AM

Hi,

A separate pair of IPSec SAs are set up for AH and ESP transform. Each IPSec peer agrees to set up SAs consisting of policy parameters to be used during the IPSec session. The SAs are unidirectional for IPSec so that peer 1 will offer peer 2 a policy. If peer 2 accepts this policy, it will send that policy back to peer 1. This establishes two one-way SAs between the peers. Two-way communication consists of two SAs, one for each direction.

For more information check this:

http://www.ciscopress.com/articles/article.asp?p=24833&seqNum=7

Regards,

Aditya

Please rate helpful and mark correct answers

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎07-22-2017 10:08 AM

Also important to mention: Practically, AH is non-existent in VPNs; only ESP is used today. But when learning, of course it's still useful to also look at AH to get a better understanding.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎07-22-2017 07:46 AM

Hi,

A separate pair of IPSec SAs are set up for AH and ESP transform. Each IPSec peer agrees to set up SAs consisting of policy parameters to be used during the IPSec session. The SAs are unidirectional for IPSec so that peer 1 will offer peer 2 a policy. If peer 2 accepts this policy, it will send that policy back to peer 1. This establishes two one-way SAs between the peers. Two-way communication consists of two SAs, one for each direction.

For more information check this:

http://www.ciscopress.com/articles/article.asp?p=24833&seqNum=7

Regards,

Aditya

Please rate helpful and mark correct answers

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎07-22-2017 10:08 AM

Also important to mention: Practically, AH is non-existent in VPNs; only ESP is used today. But when learning, of course it's still useful to also look at AH to get a better understanding.

0 Helpful
Customers Also Viewed These Support Documents