IPsec Communication Modes:Tunnel and Transport
Both AH and ESP can be activated in two modes: carriage and tunnel. In transport
mode, alone the abstracts allocation of an IP packet is affected; the aboriginal IP
header is not changed.Tunnel approach encapsulates the absolute aboriginal packet as the
data allocation of a new packet and creates a new alien IP header. (AH and/or
ESP headers are created in both modes.) Carriage approach is acclimated back both the
receiver and the sender are endpoints of the communication—for example, two
hosts communicating anon to anniversary other.Tunnel approach is added acceptable for
site-to armpit VPNs because it allows tunneling of cartage through the approach established
between two gateways.
In carriage mode, the IP packet contains an AH or ESP attack appropriate after
the aboriginal IP attack and afore upper-layer abstracts such as a TCP attack and
application data. If ESP is activated to the packet, alone this upper-layer abstracts is
encrypted. If alternative ESP affidavit is used, alone upper-layer data, not the
IP header, is authenticated. If AH is activated to the packet, both the aboriginal IP
header and upper-layer abstracts are authenticated. Figure 7.3 shows what happens to
the packet back IPsec is activated in carriage mode.
www.syngress.com
Figure 7.3 Packet Structure in Carriage Mode
Original IP
Header
Data (upper band protocol)
Original IP
Header AH Attack Abstracts (upper band protocol)
Encapsulated
Packet
AH Encapsulation
Original
Packet
Authenticated (except for the arbitrary fields)
Original IP
Header Abstracts (upper band protocol)
(new) IP
Header Abstracts (encrypted)
ESP
Header
ESP
Trailer
ESP Encapsulation
Original
Packet
Encapsulated
Packet
ESP
Authentication
Encrypted
Authenticated
Configuring Virtual Private Networking • Chapter 7 339
Tunnel mode, the best accepted approach of operation, allows the establishment
of an encrypted and accurate IP adit amid two sites.The aboriginal packet
is encrypted and/or accurate and encapsulated by a sending aperture into the
data allotment of a new IP packet, and again the new IP attack is added to it with the
destination abode of the accepting gateway.The ESP and/or AH attack is inserted
between this new attack and the abstracts portion.The accepting aperture performs
decryption and affidavit of the packet, extracts the aboriginal IP packet
(including the aboriginal source/destination IPs), and assiduously it to the destination
network. Figure 7.4 demonstrates the encapsulation performed in adit mode.
Again, if AH is used, both the aboriginal IP attack and the new IP attack are
protected (authenticated), but if ESP is used, alike with the affidavit option,
only the aboriginal IP address, not the sending gateway’s IP address, is protected.
This bureaucracy is absolutely not that bad, because it is actual difficult to bluff a correct
IPsec packet after alive abounding abstruse parameters.The exclusion of the
new IP attack from accurate abstracts additionally allows tunnels to canyon through
devices that accomplish NAT.When the new attack is created, best of the options
from the aboriginal IP attack are mapped assimilate the new one—for example, the
Type of Service (ToS) field.