Product specifications

ManualsBrandsEfficient Networks ManualsComputer equipmentRouter family Command line interface

181

182

183

184

185

186

187

188

189

190

Efficient Networks

Router family

Technical Reference Guide

Chapter 5: System Security

Efficient Networks

Page 5-51

The router supports both IPSec encapsulation methods. It can serve as the endpoint

of a tunnel mode connection or as the endpoint of a transport mode connection. Also,

while operating in tunnel mode, the router does allow transport mode traffic to flow

through it.

Tunnel mode is the default encapsulation mode for the router. It is used when the

IPSec packet comes from either another device or from the encrypting device. In

tunnel mode, the IP header is encrypted as part of the payload, and an entirely new IP

header is added to the packet. Tunnel mode prevents network traffic analysis. A

network attacker could determine the tunnel endpoints (the gateway addresses), but

not the true source and destination of the tunneled packets, even if they are the same

as the tunnel endpoints.

Transport mode is used when the IPSec packet originates in the encrypting device. In

transport mode, only the payload (data portion) of each IP packet is encapsulated

and/or encrypted. An IPSec header is inserted between the IP header and the upper

layer protocol header.

The router should be configured for transport mode when a client is communicating

directly with the router. For example, use transport mode when a remote user wants

to access the HTML setup pages or Telnet into the router. It can also be used for

L2TP over IPSec. The routers at either end of the L2TP tunnel do both the IPSec and

L2TP encapsulations so the routers can use Tunnel and Transport mode for

communications.

ESP and AH Security Protocols

An IPSec connection must use either the AH or the ESP security protocol.The

protocol selected determines the encapsulation method used. In addition, the protocol

also determines whether encryption may be performed. If the AH protocol is selected,

only packet authentication can be performed, not encryption. If the ESP protocol is

selected, it can perform encryption, authentication, or both encryption and

authentication.

Figure 5-4: Tunnel and Transport Encapsulation Modes

RouterDevice Router Device

Tunnel Mode:

Router

Device or

router

Router

Device

router

Transport Mode:

Secure Data Traffic Between Devices

Secure Packet

Traffic Between