3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

371

372

373

374

375

376

377

378

379

380

IPsec Configuration Commands 375

encapsulation-mode Syntax

encapsulation-mode { transport | tunnel }

undo encapsulation-mode

View

IPsec proposal view

Parameter

transport: Sets that the encapsulation mode of IP packets is transport mode.

tunnel: Sets that the encapsulation mode of IP packets is tunnel mode.

Description

Use the encapsulation-mode command to set the encapsulation mode that the

security protocol applies to IP packets, which can be transport or tunnel.

Use the undo encapsulation-mode command to restore it to the default.

By default, tunnel mode is used.

There are two encapsulation modes where IPsec is used to encrypt and

authenticate IP packets: transport mode and tunnel mode. In transport mode,

IPsec does not encapsulate a new header into the IP packet. The both ends of

security tunnel is of source and destination of original packets. In tunnel mode,

IPsec protects the whole IP packet, and adds a new IP header in the front part of

the IP packet. The source and destination addresses of the new IP header are the IP

addresses of both ends of the tunnel.

Generally, the tunnel mode is used between two security gateways (routers). A

packet encrypted in a security gateway can only be decrypted in another security

gateway. So an IP packet needs to be encrypted in tunnel mode, that is, a new IP

header is added; the IP packet encapsulated in tunnel mode is sent to another

security gateway before it is decrypted.

The transport mode is suitable for communication between two hosts, or for

communication between a host and a security gateway. In transport mode, two

devices responsible for encrypting and decrypting packets must be the original

sender and receiver of the packet. Most of the data traffic between two security

gateways is not of the security gateway’s own. So the transport mode is not often

used between security gateways.

The proposal used by the IPsec policies set at both ends of the security tunnel must

be set as having the same packet encapsulation mode.

Related command: ah authentication-algorithm, ipsec proposal, esp

encryption-algorithm, esp authentication-algorithm, proposal, transform.

Example

# Set the proposal whose name is prop2 as using the transport mode to

encapsulate IP packets.

[SecBlade_VPN] ipsec proposal prop2

[SecBlade_VPN-ipsec-proposal- prop2] encapsulation-mode transport