Transport and
Tunnel Mode
In configuring IPSec, one of the early decisions that must
be made is whether the session is a Tunnel or a Transport mode connection. This
distinction impacts other configuration decisions that have to be made.
Tunnel Mode
Tunnel mode is the most common mode
involving a VPN connection between two gateway devices or a connection between
an end-station and a gateway device. The Tunnel mode connection would be common
between a branch office and the main office providing multiple hosts on the
branch LAN to multiple shared resources on the main network. An example of the
end-host to gateway VPN tunnel would be a traveling employee or telecommuter
connecting to the company network to access shared resources, such as e-mail,
files, printing, and so forth.
In Figure 9-9, each of the connections to the main
office would normally be a Tunnel mode connection between the two routers. The
mobile user or telecommuter would typically have a VPN tunnel connection from
their workstation to the Main Office router.
Tunnel Mode Encryption
The more secure Tunnel mode encrypts both the IP header and
the payload. This is possible because while the packet is in transit through the
tunnel, it’s fully encapsulated in a packet that uses the tunnel endpoints as
the source and destination address. Any device recording a packet in transit
would be unable to read any part of the original packet and could only determine
the end points of the tunnel.
Tunnel Mode Benefits
Tunnel mode allows a router or VPN hardware host device to
act as an IPSec proxy, which means the device performs encryption services for
the hosts. The Tunnel mode endpoint device is used to protect datagrams that
originate from or are destined to non-IPSec host systems, making the process
invisible to end users. Another great advantage is the source and the
destination addresses are invisible while encrypted.
Sections
Comments (0 posted)
Syndication
