Manualshelf

HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
141142143144145146147148149150
139
Flexible service application—You can apply a service such as NAT or QoS to packets before or
after they are encrypted by IPsec. To handle packets prior to IPsec encryption, apply the service to
the IPsec tunnel interface. To handle IPsec encrypted packets, apply the service to the physical
outbound interface.
Operation of the IPsec tunnel interface
IPsec encapsulation and de-encapsulation occur on IPsec tunnel interfaces. Figure 95 shows how a clear
text packet arriving at a router is forwarded to the IPsec tunnel interface, encapsulated, and forwarded
out.
Figure 95 Encapsulation process of a clear text packet
1. The router forwards a clear text packet received on the inbound interface to the forwarding
module.
2. The forwarding module looks up the routing table and, if the packet must be IPsec protected,
forwards the packet to the IPsec tunnel interface. The original IP packet is encapsulated into to form
a new IP packet. The source and destination of the new packet are respectively the source and
destination address of the tunnel interface.
3. The IPsec tunnel interface encapsulates the packet, and then sends the packet to the forwarding
module.
4. The forwarding module looks up the routing table again and forwards the IPsec-encrypted packet
out of the physical outbound interface that is associated with the tunnel interface.
Figure 96 sho
ws how an IPse
c packet is de-encapsulated on an IPsec tunnel interface.
Figure 96 De-encapsulation process of an IPsec packet
5. The router forwards an IPsec packet received on the inbound interface to the forwarding module.