Command Reference Guide
3Com Router 3000 Ethernet Family
Command Reference Guide
Chapter 5 IPSec Configuration Commands
3Com Corporation
5-12
Table 5-7 IPSec packet statistics
Item Description
input/output security packets
input/output packets under the security
protection
input/output security bytes
input/output bytes under the security
protection
input/output discarded security packets
input/output packets under the security
protection discarded by the router
5.1.8 encapsulation-mode
Syntax
encapsulation-mode { transport | tunnel }
undo encapsulation-mode
View
IPSec proposal view
Parameter
transport: Sets that the encapsulation mode of IP packets is transport mode.
tunnel: Sets that the encapsulation mode of IP packets is tunnel mode.
Description
Use the encapsulation-mode command to set the encapsulation mode that the
security protocol applies to IP packets, which can be transport or tunnel.
Use the undo encapsulation-mode command to restore it to the default.
By default, tunnel mode is used.
There are two encapsulation modes where IPSec is used to encrypt and authenticate
IP packets: transport mode and tunnel mode. In transport mode, IPSec does not
encapsulate a new header into the IP packet. The both ends of security tunnel are of
source and destination of original packets. In tunnel mode, IPSec protects the whole IP
packet, and adds a new IP header in the front part of the IP packet. The source and
destination addresses of the new IP header are the IP addresses of both ends of the
tunnel.
Generally, the tunnel mode is used between two security gateways (routers). A packet
encrypted in a security gateway can only be decrypted in another security gateway. So
an IP packet needs to be encrypted in tunnel mode, that is, a new IP header is added;
the IP packet encapsulated in tunnel mode is sent to another security gateway before it
is decrypted.