Manualshelf

R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
12345678910
2
Figure 3 Format of an X packet encapsulated for transmission over an IP tunnel
These are the terms involved:
Payload: Packet that needs to be encapsulated and transmitted.
Passenger protocol: Protocol that the payload packet uses, X in the example.
Encapsulation or carrier protocol: Protocol used to encapsulate the payload packet, that is, GRE.
Delivery or transport protocol: Protocol used to encapsulate the GRE packet and then forward the
packet to the other end of the tunnel, IP in this example.
Depending on the transport protocol, two tunnel modes are present: GRE over IPv4 and GRE over IPv6.
De-encapsulation process
De-encapsulation is the reverse of the encapsulation process:
1. Upon receiving an IP packet from the tunnel interface, Device B checks the destination address.
2. If the destination is itself, Device B strips off the IP header of the packet and submits the resulting
packet to the GRE protocol.
3. The GRE protocol checks the key, checksum and sequence number in the packet, and then strips
off the GRE header and submits the payload to the X protocol for forwarding.
NOTE:
Encapsulation and de-encapsulation processes on both ends of the GRE tunnel and the resultin
g
increase
in data volumes will degrade the forwarding efficiency for the GRE-enabled device to some extent.
GRE security options
For the purpose of tunnel security, GRE provides two options: tunnel interface key and end-to-end
checksum.
According to RFC 1701,
If the Key Present field of a GRE packet header is set to 1, the Key field will carry the key for the
receiver to authenticate the source of the packet. This key must be the same at both ends of a tunnel.
Otherwise, packets delivered over the tunnel will be discarded.
If the Checksum Present bit of a GRE packet header is set to 1, the Checksum field contains valid
information. The sender calculates the checksum for the GRE header and the payload and sends
the packet containing the checksum to the peer. The receiver calculates the checksum for the
received packet and compares it with that carried in the packet. If the checksums are the same, the
receiver considers the packet intact and continues to process the packet. Otherwise, the receiver
discards the packet.
GRE headerIP header X payload
Passenger protocol
Encapsulation protocol
Transport protocol