Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100226

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
511512513514515516517518519520
7-10
Virtual Private Networks
IPsec Concepts
Transport Mode
In transport mode, a packet is encapsulated with an IPsec header before the
IP header is added, which reduces overhead. However, because the header
must be applied before the traffic is ever transmitted, both ends of the tunnel
must be the ultimate originators of the traffic.
You can use transport mode to secure traffic for sessions that terminate on
the module itself. For example, transport mode is used for the IPsec traffic in
L2TP over IPsec connections as well as GRE over IPsec connections because,
as the gateway to the L2TP or GRE tunnel, the module is the originator of the
L2TP or GRE packet that is encapsulated by IPsec.
Figure 7-2. Transport Mode
In transport mode, an AH header authenticates the entire packet including the
IP header. The ESP header authenticates only the payload but can also encrypt
the payload.
Authentication and Encryption Algorithms
To provide data integrity, an IPsec tunnel endpoint transforms packets with
authentication algorithms. An authentication algorithm uses a specific key to
generate a unique message digest for a packet, which the remote endpoint
checks using the same key and algorithm. If the data has been altered, the
integrity check fails.
To provide data privacy, the tunnel endpoint transforms packets with symmet-
ric encryption algorithms. Such an algorithm uses a key to transform data into
a new string. Only an endpoint using the same algorithm and key can extract
the original data from the encrypted string.