Transport And Tunnel Modes In IPsec

oracle home Securing the Network in Oracle® Solaris 11.2

Exit Print View

Search Term Search Scope: This Document Entire Library » ...Documentation Home » Oracle Solaris 11.2 Information Library » Securing the Network in Oracle® ... » About IP Security Architecture » Transport and Tunnel Modes in IPsec Updated: August 2014

• Securing the Network in Oracle® Solaris 11.2
• Document Information
• Using This Documentation
• Product Documentation Library
• Access to Oracle Support
• Feedback
• Chapter 1 Using Link Protection in Virtualized Environments
• What's New in Network Security in Oracle Solaris 11.2
• About Link Protection
• Link Protection Types
• Configuring Link Protection
• How to Enable Link Protection
• How to Disable Link Protection
• How to Specify IP Addresses to Protect Against IP Spoofing
• How to Specify DHCP Clients to Protect Against DHCP Spoofing
• How to View Link Protection Configuration and Statistics
• Chapter 2 Tuning Your Network
• Tuning the Network
• How to Disable the Network Routing Daemon
• How to Disable Broadcast Packet Forwarding
• How to Disable Responses to Echo Requests
• How to Set Strict Multihoming
• How to Set Maximum Number of Incomplete TCP Connections
• How to Set Maximum Number of Pending TCP Connections
• How to Specify a Strong Random Number for Initial TCP Connection
• How to Prevent ICMP Redirects
• How to Reset Network Parameters to Secure Values
• Chapter 3 Web Servers and the Secure Sockets Layer Protocol
• SSL Kernel Proxy Encrypts Web Server Communications
• Protecting Web Servers With the SSL Kernel Proxy
• How to Configure an Apache 2.2 Web Server to Use the SSL Kernel Proxy
• How to Configure an Oracle iPlanet Web Server to Use the SSL Kernel Proxy
• How to Configure the SSL Kernel Proxy to Fall Back to the Apache 2.2 SSL
• How to Use the SSL Kernel Proxy in Zones
• Chapter 4 About IP Filter in Oracle Solaris
• Introduction to IP Filter
• Information Sources for Open Source IP Filter
• IP Filter Packet Processing
• Guidelines for Using IP Filter
• Using IP Filter Configuration Files
• Using IP Filter Rule Sets
• Using IP Filter's Packet Filtering Feature
• Configuring Packet Filtering Rules
• Using IP Filter's NAT Feature
• Configuring NAT Rules
• Using IP Filter's Address Pools Feature
• Configuring Address Pools
• IPv6 for IP Filter
• IP Filter Man Pages
• Chapter 5 Configuring IP Filter
• Configuring the IP Filter Service
• How to Display IP Filter Service Defaults
• How to Create IP Filter Configuration Files
• How to Enable and Refresh IP Filter
• How to Disable Packet Reassembly
• How to Enable Loopback Filtering
• How to Disable Packet Filtering
• Working With IP Filter Rule Sets
• Managing Packet Filtering Rule Sets for IP Filter
• How to View the Active Packet Filtering Rule Set
• How to View the Inactive Packet Filtering Rule Set
• How to Activate a Different or Updated Packet Filtering Rule Set
• How to Remove a Packet Filtering Rule Set
• How to Append Rules to the Active Packet Filtering Rule Set
• How to Append Rules to the Inactive Packet Filtering Rule Set
• How to Switch Between Active and Inactive Packet Filtering Rule Sets
• How to Remove an Inactive Packet Filtering Rule Set From the Kernel
• Managing NAT Rules for IP Filter
• How to View Active NAT Rules in IP Filter
• How to Deactivate NAT Rules in IP Filter
• How to Append Rules to the NAT Packet Filtering Rules
• Managing Address Pools for IP Filter
• How to View Active Address Pools
• How to Remove an Address Pool
• How to Append Rules to an Address Pool
• Displaying Statistics and Information for IP Filter
• How to View State Tables for IP Filter
• How to View State Statistics for IP Filter
• How to View IP Filter Tunable Parameters
• How to View NAT Statistics for IP Filter
• How to View Address Pool Statistics for IP Filter
• Working With Log Files for IP Filter
• How to Set Up a Log File for IP Filter
• How to View IP Filter Log Files
• How to Flush the Packet Log Buffer
• How to Save Logged Packets to a File
• IP Filter Configuration File Examples
• Chapter 6 About IP Security Architecture
• Introduction to IPsec
• IPsec Packet Flow
• IPsec Security Associations
• Key Management for IPsec Security Associations
• IKE for IPsec SA Generation
• Manual Keys for IPsec SA Generation
• IPsec Protection Protocols
• Authentication Header
• Encapsulating Security Payload
• Security Considerations When Using AH and ESP
• Authentication and Encryption Algorithms in IPsec
• IPsec Protection Policies
• Transport and Tunnel Modes in IPsec
• Virtual Private Networks and IPsec
• IPsec and FIPS 140
• IPsec and NAT Traversal
• IPsec and SCTP
• IPsec and Oracle Solaris Zones
• IPsec and Virtual Machines
• IPsec Configuration Commands and Files
• Chapter 7 Configuring IPsec
• Protecting Network Traffic With IPsec
• How to Secure Network Traffic Between Two Servers With IPsec
• How to Use IPsec to Protect Web Server Communication With Other Servers
• Protecting a VPN With IPsec
• Examples of Protecting a VPN With IPsec by Using Tunnel Mode
• Description of the Network Topology for the IPsec Tasks to Protect a VPN
• How to Protect the Connection Between Two LANs With IPsec in Tunnel Mode
• Additional IPsec Tasks
• How to Manually Create IPsec Keys
• How to Configure a Role for Network Security
• How to Verify That Packets Are Protected With IPsec
• Chapter 8 About Internet Key Exchange
• Introduction to IKE
• IKE Concepts and Terminology
• How IKE Works
• IKE With Preshared Key Authentication
• IKE With Public Key Certificates
• Using Public Key Certificates in IKE
• Handling Revoked Certificates
• Coordinating Time on Systems That Use Public Certificates
• Comparison of IKEv2 and IKEv1
• IKEv2 Protocol
• IKEv2 Configuration Choices
• IKEv2 Policy for Public Certificates
• IKEv1 Protocol
• IKEv1 Key Negotiation
• IKEv1 Phase 1 Exchange
• IKEv1 Phase 2 Exchange
• IKEv1 Configuration Choices
• Chapter 9 Configuring IKEv2
• Configuring IKEv2
• Configuring IKEv2 With Preshared Keys
• How to Configure IKEv2 With Preshared Keys
• How to Add a New Peer When Using Preshared Keys in IKEv2
• Initializing the Keystore to Store Public Key Certificates for IKEv2
• How to Create and Use a Keystore for IKEv2 Public Key Certificates
• Configuring IKEv2 With Public Key Certificates
• How to Configure IKEv2 With Self-Signed Public Key Certificates
• How to Configure IKEv2 With Certificates Signed by a CA
• How to Set a Certificate Validation Policy in IKEv2
• How to Handle Revoked Certificates in IKEv2
• How to Generate and Store Public Key Certificates for IKEv2 in Hardware
• Chapter 10 Configuring IKEv1
• Configuring IKEv1
• Configuring IKEv1 With Preshared Keys
• How to Configure IKEv1 With Preshared Keys
• How to Update IKEv1 for a New Peer System
• Configuring IKEv1 With Public Key Certificates
• How to Configure IKEv1 With Self-Signed Public Key Certificates
• How to Configure IKEv1 With Certificates Signed by a CA
• How to Generate and Store Public Key Certificates for IKEv1 in Hardware
• How to Handle Revoked Certificates in IKEv1
• Configuring IKEv1 for Mobile Systems
• How to Configure IKEv1 for Off-Site Systems
• Configuring IKEv1 to Find Attached Hardware
• How to Configure IKEv1 to Find the Sun Crypto Accelerator 6000 Board
• Chapter 11 Troubleshooting IPsec and Its Key Management Services
• Troubleshooting IPsec and Its Key Management Configuration
• How to Prepare IPsec and IKE Systems for Troubleshooting
• How to Troubleshoot Systems Before IPsec and IKE Are Running
• How to Troubleshoot Systems When IPsec Is Running
• Troubleshooting IPsec and IKE Semantic Errors
• Viewing Information About IPsec and Its Keying Services
• Viewing IPsec and Manual Key Service Properties
• Viewing IKE Information
• Managing IPsec and Its Keying Services
• Configuring and Managing IPsec and Its Keying Services
• Managing the Running IKE Daemons
• Chapter 12 IPsec and Key Management Reference
• IPsec Reference
• IPsec Services, Files, and Commands
• IPsec Services
• ipsecconf Command
• ipsecinit.conf Configuration File
• Sample ipsecinit.conf File
• Security Considerations for ipsecinit.conf and ipsecconf
• ipsecalgs Command
• ipseckey Command
• Security Considerations for ipseckey
• kstat Command
• snoop Command and IPsec
• IPsec RFCs
• Security Associations Database for IPsec
• Key Management in IPsec
• IKEv2 Reference
• IKEv2 Utilities and Files
• IKEv2 Service
• IKEv2 Daemon
• IKEv2 Configuration File
• ikeadm Command for IKEv2
• IKEv2 Preshared Keys File
• IKEv2 ikev2cert Command
• IKEv1 Reference
• IKEv1 Utilities and Files
• IKEv1 Service
• IKEv1 Daemon
• IKEv1 Configuration File
• IKEv1 ikeadm Command
• IKEv1 Preshared Keys Files
• IKEv1 Public Key Databases and Commands
• IKEv1 ikecert tokens Command
• IKEv1 ikecert certlocal Command
• IKEv1 ikecert certdb Command
• IKEv1 ikecert certrldb Command
• IKEv1 /etc/inet/ike/publickeys Directory
• IKEv1 /etc/inet/secret/ike.privatekeys Directory
• IKEv1 /etc/inet/ike/crls Directory
• Network Security Glossary
• Index
• Index Numbers and Symbols
• Index A
• Index B
• Index C
• Index D
• Index E
• Index F
• Index G
• Index H
• Index I
• Index K
• Index L
• Index M
• Index N
• Index O
• Index P
• Index R
• Index S
• Index T
• Index U
• Index V
• Index W
• Index X
• Index Z

Language: English

Transport and Tunnel Modes in IPsec

The IPsec standards define two distinct modes of IPsec operation, transport mode and tunnel mode. The key difference between transport and tunnel mode is where policy is applied. In tunnel mode, the original packet is encapsulated in another IP header. The addresses in the other header can be different.

The packets can be protected by AH, ESP, or both in each mode. The modes differ in policy application, as follows:

• In transport mode, the IP addresses in the outer header are used to determine the IPsec policy that will be applied to the packet.

• In tunnel mode, two IP headers are sent. The inner IP packet determines the IPsec policy that protects its contents.

  Tunnel mode can be applied to any mix of end systems and intermediate systems, such as security gateways.

In transport mode, the IP header, the next header, and any ports that the next header supports can be used to determine IPsec policy. In effect, IPsec can enforce different transport mode policies between two IP addresses to the granularity of a single port. For example, if the next header is TCP, which supports ports, then IPsec policy can be set for a TCP port of the outer IP address.

Tunnel mode works only for IP-in-IP packets. In tunnel mode, IPsec policy is enforced on the contents of the inner IP packet. Different IPsec policies can be enforced for different inner IP addresses. That is, the inner IP header, its next header, and the ports that the next header supports can enforce a policy. Unlike transport mode, in tunnel mode the outer IP header does not dictate the policy of its inner IP packet.

Therefore, in tunnel mode, IPsec policy can be specified for subnets of a LAN behind a router and for ports on those subnets. IPsec policy can also be specified for particular IP addresses, that is, hosts, on those subnets. The ports of those hosts can also have a specific IPsec policy. However, if a dynamic routing protocol is run over a tunnel, do not use subnet selection or address selection because the view of the network topology on the peer network could change. Changes would invalidate the static IPsec policy. For examples of tunneling procedures that include configuring static routes, see Protecting a VPN With IPsec.

In Oracle Solaris, tunnel mode can be enforced only on an IP tunneling network interface. For information about tunneling interfaces, see Chapter 4, About IP Tunnel Administration, in Administering TCP/IP Networks, IPMP, and IP Tunnels in Oracle Solaris 11.2 . IPsec policy provides a tunnel keyword to select an IP tunneling network interface. When the tunnel keyword is present in a rule, all selectors that are specified in that rule apply to the inner packet.

The following figure shows an IP header with an unprotected TCP packet.

Figure 6-3  Unprotected IP Packet Carrying TCP Information

In transport mode, ESP protects the data as shown in the following figure. The shaded area shows the encrypted part of the packet.

Figure 6-4  Protected IP Packet Carrying TCP Information

In tunnel mode, the entire packet is inside the ESP header. The packet in Figure 6–3 is protected in tunnel mode by an outer IPsec header and, in this case, ESP, as shown in the following figure.

Figure 6-5  IPsec Packet Protected in Tunnel Mode

IPsec policy provides keywords for tunnel mode and transport mode. For more information, review the following:

• For details on per-socket policy, see the ipsec(7P) man page.

• For an example of per-socket policy, see How to Use IPsec to Protect Web Server Communication With Other Servers.

• For more information about tunnels, see the ipsecconf(1M) man page.

• For an example of tunnel configuration, see How to Protect the Connection Between Two LANs With IPsec in Tunnel Mode.

Copyright © 1999, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices Previous Next