Tunnel Mode
Tunnel mode is used between two gateways or between a host and a gateway, if that gateway is the conduit to the actual source or destination. In tunnel mode, the entire original IP packet is encrypted and becomes the payload of a new IP packet. So the original IP packets don't have to be routable to the Internet. The new IP header has the destination address of its IPsec peer. The biggest advantage of tunnel mode is that all the information from the original packet, including the headers, is protected. Tunnel mode protects against traffic analysis because, although the IPsec tunnel endpoints can be determined, the true source and destination endpoints cannot be determined because the information in the original IP header has been encrypted.
Just as in transport mode, tunnel mode may be configured both with AH and ESP.
-
Tunnel Mode with AH The entire original header is authenticated and the new IP header is protected in the same way as the IP header is protected in transport mode (see Figure 6-2).