Transport Mode; Tunnel Mode; Ipsec And Nat - ZyXEL Communications Prestige 662HW Series User Manual

Prestige 662HW Series User's Guide

15.3.1 Transport Mode

Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In
Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original
IP header and options, but before any upper layer protocols contained in the packet (such as TCP and
UDP).
With ESP, protection is applied only to the upper layer protocols contained in the packet. The IP
header information and options are not used in the authentication process. Therefore, the originating IP
address cannot be verified for integrity against the data.
With the use of AH as the security protocol, protection is extended forward into the IP header to verify
the integrity of the entire packet by use of portions of the original IP header in the hashing process.

15.3.2 Tunnel Mode

Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel mode is required for
gateway services to provide access to internal systems. Tunnel mode is fundamentally an IP tunnel
with authentication and encryption. This is the most common mode of operation. Tunnel mode is
required for gateway to gateway and host to gateway communications. Tunnel mode communications
have two sets of IP headers:
Outside header: The outside IP header contains the destination IP address of the VPN
gateway.
Inside header: The inside IP header contains the destination IP address of the final system
behind the VPN gateway. The security protocol appears after the outer IP header and before
the inside IP header.

15.4 IPSec and NAT

Read this section if you are running IPSec on a host computer behind the Prestige.
NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec VPN
using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash
value appended to the packet. When using AH protocol, packet contents (the data payload) are not
encrypted.
A NAT device in between the IPSec endpoints will rewrite either the source or destination address
with one of its own choosing. The VPN device at the receiving end will verify the integrity of the
incoming packet by computing its own hash value, and complain that the hash value appended to the
received packet doesn't match. The VPN device at the receiving end doesn't know about the NAT in
the middle, so it assumes that the data has been maliciously altered.
IPSec using ESP in Tunnel mode encapsulates the entire original packet (including headers) in a new
IP packet. The new IP packet's source address is the outbound address of the sending VPN gateway,
and its destination address is the inbound address of the VPN device at the receiving end. When using
ESP protocol with authentication, the packet contents (in this case, the entire original packet) are
encrypted. The encrypted contents, but not the new headers, are signed with a hash value appended to
the packet.
Tunnel mode ESP with authentication is compatible with NAT because integrity checks are
performed over the combination of the "original header plus original payload," which is unchanged by
a NAT device.
15-4 Introduction to IPSec