Table of Contents
Advertisement
Description
Using the encapsulation-mode command, you can configure the encapsulation
modes by which IPSec encrypts and authenticates IP packets. Using the undo
encapsulation-mode command, you can restore the default value.
By default, tunnel mode is adopted.
This command is applicable to the IPSec module of the operating system and crypto
card.
There are two encapsulation modes where IPSec is used to encrypt and authenticate
IP packets: transport mode and tunnel mode. In transport mode, IPSec protects the
data part of the IP packet, and does not protect the header of the IP packet; and in
tunnel mode, IPSec protects the whole IP packet, and adds a new IP header before
the previous IP packet. The source and destination addresses of the new IP header
are the IP addresses of both ends of the tunnel.
Generally, the tunnel mode is used between two security gateways (such as routers).
A packet encrypted in a security gateway can only be decrypted in the other security
gateway. So an IP packet needs to be encrypted in tunnel mode, that is, a new IP
header is added; the IP packet encapsulated in tunnel mode is sent to another
security gateway before it is decrypted.
The transport mode is suitable for communication between two hosts, or for
communication between a host and a security gateway (like the network
management communication between the gateway workstation and a router). In
transport mode, two devices responsible for encrypting and decrypting packets must
be the original sender and receiver of the packet. Most of the data traffic between two
security gateways is not incurred by the security gateway itself. So the transport
mode is not used between security gateways.
The proposal set used by the IPSec policies set at both ends of the security tunnel
must be set as having the same packet encapsulation mode.
For related commands, see ah-new authentication-algorithm, ipsec proposal,
esp-new encryption-algorithm, esp-new authentication-algorithm, proposal,
transform.
Example
# Configure the proposal set whose name is trans as having the transport view.
[3Com]ipsec proposal trans
[3Com-ipsec-proposal-trans] encapsulation-mode transport
Security
59
- Quick Links:
- Command Line Interface Commands
Hide quick links:
Advertisement
Chapters
Table of Contents
