Hello - I got some questions on IPSec, wonder if some gurus here can help me out. The questions are not about how to set it up, but rather why you would want to set up certain options. I hope somebody can answer any or all of these questions: 1) Cisco routers allow you to create a tunnel with both AH authentication and ESP authentication (not ESP encryption, but ESP authentication) at the same time. Considering the overhead involved (more SA's have to be built, packet gets longer, etc.), why would you ever want to combine them? More specifically, since AH authentication is stronger than ESP authentication (because AH actually checks the integrity of some IP header fields and ESP does not), then provided that you have already decided to do AH authentication, is there ever a good reason to also do ESP authentication as well? I agree that AH authentication combined with ESP encryption is something good to do, but would you ever want to combine AH authentication with ESP authentication? I'm sure that there is a good reason to do this, could somebody tell me what that reason might be? 2) Can anybody come up with a reason to use a transformset with the keyword "esp-null", which is no encryption at all? OK, I understand you might want to create a tunnel with just authentication, and no encryption. Fine, I have no problem understanding that. But then, why not just leave out any encryption keyword (ergo - just don't type esp-des or esp-3des), which seems to me would do the accomplish thing as typing esp-null? Maybe that's just a question of semantics, but it seems quite odd to me that IOS would have a command that does the same thing as typing nothing. 3) As a real-world consideration, is it true that AH is essentially becoming unpopular, and the industry as a whole is consolidating around ESP? Thanx to all responders Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=12238&t=12238 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
