Ipsec encapsulation modes – Panasonic 8000 User Manual
Page 51
Attention! The text in this document has been recognized automatically. To view the original document, you can use the "Original mode".
2 IPSec and IKE troubleshooting
Nortel Secure Router 8000 Series
_________ Troubleshooting - VAS
IPSec encapsulation modes
The SA specifies the protocol encapsulation modes. IPSec has two encapsulation modes:
•
Transport mode: AH/ESP is inserted following the IP header but before all transport
layer protocols or all other IPSec protocols. Figure 2-1 shows the format of transport
mode packets.
•
Tunnel mode: AH/ESP is inserted before the original IP header but after the new IP
header. Figure 2-2 shows the format of tunnel mode packets.
Figure 2-1 Format of the transport mode packets
Transport mode is suitable for communication between two hosts or between a host and a
security gateway. In this mode, the two devices that encrypt or decrypt packets must be the
original packet sender and the final receiver respectively.
Tunnel mode is suitable for communication between two security gateways.
Authentication algorithms and encryption algorithms
• Authentication algorithms
AH and ESP can authenticate the integrity of an IP packet to determine whether the
packet is modified during transmission. Authentication is implemented based on the hash
function. IPSec peers calculate the message summary. If they get the same summaries, it
indicates the packet is integrated and unmodified. The two types of IPSec authentication
algorithms are as follows:
2-4
Nortel Networks Inc.
Issue 01.01 (30 March 2009)