Re: IPSEC target and transport mode

[Paul Koning <ni1d@arrl.net>]

Excerpt of message (sent 27 March 2002) by Bill Studenmund:
> As I understand tunnel mode, you have an IPsec security gateway in the
> topology. Among other things, that means we won't readily have end-to-end
> security, since you have security from the gateway to the device, not
> necessarily the initiator to the device.
> 
> How do you suggest we achieve end-to-end security without transport mode a
> MUST?
> 
> Specifically the topology I have in mind is I make a dedicated IP SAN, and
> want ESP from the file servers to the storage boxes. They are all on the
> same (GigE) subnet. How do I get this level of security (end-to-end) with
> just tunnel mode?

Tunnel mode enables the use of (separate) security gateways.  It does
NOT require them.  It is perfectly reasonable to do end to end
security with tunnel mode.  To do so, you terminate the tunnels at the
storage nodes.

Some users will require end to end security, others will prefer site
to site security.  Tunnel mode is the common mechanism that supports
both needs.

     paul