HP-UX IPSec Version A.03.00 Administrator's Guide
Tunnel Mode
In tunnel mode , IPsec encloses, or encapsulates, the original IP packet, including the original
IP header, within a second IP datagram. All of the original IP packet, including the original
header, is secured. Tunnel mode is typically used on secure gateways. When ESP is used in
tunnel mode on gateways, the outer, unencrypted IP header contains the IP addresses of the
gateways, and the inner, encrypted IP header contains the end IP source and destination addresses.
This prevents eavesdroppers from detecting or analyzing traffic between the end source and
destination addresses. Figure 1-5 shows IPv4 ESP packets in tunnel mode.
Figure 1-5 ESP Tunnel Mode
New IP Header
ESP Header IP Header Payload
encrypted
authenticated
ESP Trailer ESP Authentication
ESP
Tunnel
Mode
IPv6 ESP Transport Mode
In IPv6 ESP transport mode (shown in Figure 1-6), IPsec inserts the ESP header after the following
headers and extensions:
• the basic IPv6 header
• hop-by-hop options
• any destination options needed to interpret the ESP header
• routing extensions
• fragment extensions
The items listed below follow the ESP header and are encrypted and authenticated:
• any destination options needed only for the “final” destination and not needed to interpret
the ESP header
• the IP data or payload (e.g., TCP or UDP packet)
Figure 1-6 IPv6 ESP in Transport Mode
IP
Header
Extension
Headers (a)
ESP
Header
Payload
Destination
Options (b)
encrypted
authenticated
ESP
Trailer
ESP
Authentication
ESP
Transport
Mode
IPv6 ESP Tunnel Mode
In IPv6 ESP tunnel mode (shown in Figure 1-7), the packet layout is the same as IPv4 ESP tunnel
mode, except that the original and new (outer) IP headers may include header extensions.
Figure 1-7 IPv6 ESP in Tunnel Mode
New
IP Header
New
Extension
Headers
ESP
Header
Payload
IP
Header
Extension
Headers
encrypted
authenticated
ESP
Trailer
ESP
Authentication
ESP
Tunnel
Mode
IPsec Protocol Suite 35