Table of Contents
Advertisement
UTT Technologies
mode, only the original IP packet's payload is protected. In tunnel mode, the entire original
IP packet is protected and then encapsulated into a new IP packet.
When both endpoints of an IPSec tunnel are hosts, you can use transport mode or tunnel
mode. When either end of the tunnel is a security gateway (such as a router or firewall), or
both ends are security gateways, you must use tunnel mode. On the UTT VPN gateway,
IPSec always operates in tunnel mode.
1. Tunnel Mode
In tunnel mode, the entire original IP packet including IP header and payload is protected
and then encapsulated into a new IP packet. As shown in Figure 11-12 Tunnel Mode, the
IPSec AH and/or ESP header is appended to the front of the original IP header, and then a
new IP header is appended to the front of the IPSec header. The source and destination
IP addresses in the new IP header are those of the two endpoints of the IPSec tunnel
respectively.
The entire original IP packet can be encrypted, authenticated, or both. With AH, the AH
and new IP headers can also be authenticated. With ESP, the ESP header can also be
authenticated, but the new IP header cannot be authenticated.
2. Transport Mode
In transport mode, only the original IP packet's payload is protected. As shown in Figure
11-13 Transport Mode, the IPSec AH and/or ESP header is appended to the front of the
payload. With AH, the entire IP packet can be authenticated. With ESP, the payload can
be encrypted and authenticated, and the ESP header also can be authenticated, but the
http://www.uttglobal.com
Figure 11-12 Tunnel Mode
Chapter 10 VPN
Page
13713713
Hide quick links:
Advertisement
Table of Contents
