Table of Contents
Advertisement
Chapter 13 VPN 207
Tunnel mode
Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel
mode is required for gateway services to provide access to internal systems.
Tunnel mode is fundamentally an IP tunnel with authentication and encryption.
This is the most common mode of operation. Tunnel mode is required for
Business Secure Router to Business Secure Router and host to Business Secure
Router communications. Tunnel mode communications have two sets of IP
headers:
Outside header: The outside IP header contains the destination IP address of the
Business Secure Router.
Inside header: The inside IP header contains the destination IP address of the
final system behind the Business Secure Router. The security protocol appears
after the outer IP header and before the inside IP header.
IPSec and NAT
Read this section if you are running IPSec on a host computer behind the Business
Secure Router.
NAT is incompatible with the AH protocol in both Transport and Tunnel mode.
An IPSec VPN using the AH protocol digitally signs the outbound packet, both
data payload and headers, with a hash value appended to the packet. When using
AH protocol, packet contents (the data payload) are not encrypted.
A NAT device in between the IPSec endpoints rewrites either the source or
destination address with one of its own choosing. The VPN device at the receiving
end verifies the integrity of the incoming packet by computing its own hash value,
and complains that the hash value appended to the received packet does not
match. The VPN device at the receiving end does not know about the NAT in the
middle, so it assumes that the data was maliciously altered.
Nortel Business Secure Router 252 Configuration — Basics
Advertisement
Table of Contents
Troubleshooting
