User`s guide
Chapter 10 IPSec VPN Config Screens
LAN-Cell 2 User’s Guide
252
Active Protocol
The active protocol controls the format of each packet. It also specifies how much of each
packet is protected by the encryption and authentication algorithms. IPSec VPN includes two
active protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security
Payload, RFC 2406).
" The LAN-Cell and remote IPSec router must use the same active protocol.
Usually, you should select ESP. AH does not support encryption, and ESP is more suitable
with NAT.
Encapsulation
There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is
more secure. Transport mode is only used when the IPSec SA is used for communication
between the LAN-Cell and remote IPSec router (for example, for remote management), not
between computers on the local and remote networks.
" The LAN-Cell and remote IPSec router must use the same encapsulation.
These modes are illustrated below.
In tunnel mode, the LAN-Cell uses the active protocol to encapsulate the entire IP packet. As a
result, there are two IP headers:
• Outside header: The outside IP header contains the IP address of the LAN-Cell or remote
IPSec router, whichever is the destination.
• Inside header: The inside IP header contains the IP address of the computer behind the
LAN-Cell or remote IPSec router. The header for the active protocol (AH or ESP) appears
between the IP headers.
Figure 154 VPN: Transport and Tunnel Mode Encapsulation
Original Packet IP Header TCP
Header
Data
Transport Mode Packet IP Header AH/ESP
Header
TCP
Header
Data
Tunnel Mode Packet IP Header AH/ESP
Header
IP Header TCP
Header
Data