Specifications
Extranet VPN Business Scenario 4-15
Configuring IPSec and IPSec Tunnel Mode
Note In IPSec tunnel mode, the entire original IP datagram is encrypted, and it becomes
the payload in a new IP packet. This mode allows a network device, such as a router, to act
as an IPSec proxy. That is, the router performs encryption on behalf of the hosts. The
source’s router encrypts packets and forwards them along the IPSec tunnel. The
destination’s router decrypts the original IP datagram and forwards it on to the destination
system. The major advantage of tunnel mode is that the end systems do not need to be
modified to receive the benefits of IPSec. Tunnel mode also protects against traffic analysis;
with tunnel mode an attacker can only determine the tunnel endpoints and not the true
source and destination of the tunneled packets, even if they are the same as the tunnel
endpoints.
In IPSec transport mode, only the IP payload is encrypted, and the original IP headers are
left intact. (See Figure 4-4.) This mode has the advantage of adding only a few bytes to each
packet. It also allows devices on the public network to see the final source and destination
of the packet. This capability allows you to enable special processing (for example, QoS)
in the intermediate network based on the information in the IP header. However, the Layer 4
header will be encrypted, limiting the examination of the packet. Unfortunately, by passing
the IP header in the clear, transport mode allows an attacker to perform some traffic
analysis. (See the “Defining Transform Sets” section on page 3-22 for an IPSec transport
mode configuration example.)