Transport And Tunnel Modes In IPsec

oracle home Securing the Network in Oracle® Solaris 11.2

Exit Print View

Search Term Search Scope: This Document Entire Library » ...Documentation Home » Oracle Solaris 11.2 Information Library » Securing the Network in Oracle® ... » About IP Security Architecture » Transport and Tunnel Modes in IPsec Updated: August 2014
  • Securing the Network in Oracle® Solaris 11.2
  • Document Information
  • Using This Documentation
  • Chapter 1 Using Link Protection in Virtualized Environments
  • Chapter 2 Tuning Your Network
  • Chapter 3 Web Servers and the Secure Sockets Layer Protocol
  • Chapter 4 About IP Filter in Oracle Solaris
  • Chapter 5 Configuring IP Filter
  • Chapter 6 About IP Security Architecture
    • Introduction to IPsec
    • IPsec Packet Flow
    • IPsec Security Associations
      • Key Management for IPsec Security Associations
        • IKE for IPsec SA Generation
        • Manual Keys for IPsec SA Generation
    • IPsec Protection Protocols
      • Authentication Header
      • Encapsulating Security Payload
        • Security Considerations When Using AH and ESP
      • Authentication and Encryption Algorithms in IPsec
    • IPsec Protection Policies
    • Transport and Tunnel Modes in IPsec
    • Virtual Private Networks and IPsec
    • IPsec and FIPS 140
    • IPsec and NAT Traversal
    • IPsec and SCTP
    • IPsec and Oracle Solaris Zones
    • IPsec and Virtual Machines
    • IPsec Configuration Commands and Files
  • Chapter 7 Configuring IPsec
  • Chapter 8 About Internet Key Exchange
  • Chapter 9 Configuring IKEv2
  • Chapter 10 Configuring IKEv1
  • Chapter 11 Troubleshooting IPsec and Its Key Management Services
  • Chapter 12 IPsec and Key Management Reference
  • Network Security Glossary
  • Index
    • Index Numbers and Symbols
    • Index A
    • Index B
    • Index C
    • Index D
    • Index E
    • Index F
    • Index G
    • Index H
    • Index I
    • Index K
    • Index L
    • Index M
    • Index N
    • Index O
    • Index P
    • Index R
    • Index S
    • Index T
    • Index U
    • Index V
    • Index W
    • Index X
    • Index Z
Language: English

Transport and Tunnel Modes in IPsec

The IPsec standards define two distinct modes of IPsec operation, transport mode and tunnel mode. The key difference between transport and tunnel mode is where policy is applied. In tunnel mode, the original packet is encapsulated in another IP header. The addresses in the other header can be different.

    The packets can be protected by AH, ESP, or both in each mode. The modes differ in policy application, as follows:

  • In transport mode, the IP addresses in the outer header are used to determine the IPsec policy that will be applied to the packet.

  • In tunnel mode, two IP headers are sent. The inner IP packet determines the IPsec policy that protects its contents.

    Tunnel mode can be applied to any mix of end systems and intermediate systems, such as security gateways.

In transport mode, the IP header, the next header, and any ports that the next header supports can be used to determine IPsec policy. In effect, IPsec can enforce different transport mode policies between two IP addresses to the granularity of a single port. For example, if the next header is TCP, which supports ports, then IPsec policy can be set for a TCP port of the outer IP address.

Tunnel mode works only for IP-in-IP packets. In tunnel mode, IPsec policy is enforced on the contents of the inner IP packet. Different IPsec policies can be enforced for different inner IP addresses. That is, the inner IP header, its next header, and the ports that the next header supports can enforce a policy. Unlike transport mode, in tunnel mode the outer IP header does not dictate the policy of its inner IP packet.

Therefore, in tunnel mode, IPsec policy can be specified for subnets of a LAN behind a router and for ports on those subnets. IPsec policy can also be specified for particular IP addresses, that is, hosts, on those subnets. The ports of those hosts can also have a specific IPsec policy. However, if a dynamic routing protocol is run over a tunnel, do not use subnet selection or address selection because the view of the network topology on the peer network could change. Changes would invalidate the static IPsec policy. For examples of tunneling procedures that include configuring static routes, see Protecting a VPN With IPsec.

In Oracle Solaris, tunnel mode can be enforced only on an IP tunneling network interface. For information about tunneling interfaces, see Chapter 4, About IP Tunnel Administration, in Administering TCP/IP Networks, IPMP, and IP Tunnels in Oracle Solaris 11.2 . IPsec policy provides a tunnel keyword to select an IP tunneling network interface. When the tunnel keyword is present in a rule, all selectors that are specified in that rule apply to the inner packet.

The following figure shows an IP header with an unprotected TCP packet.

Figure 6-3  Unprotected IP Packet Carrying TCP Information

image:Graphic shows the IP header followed by the TCP header. The TCP header is not protected.

In transport mode, ESP protects the data as shown in the following figure. The shaded area shows the encrypted part of the packet.

Figure 6-4  Protected IP Packet Carrying TCP Information

image:Graphic shows the ESP header between the IP header and the TCP header. The TCP header is encrypted by the ESP header.

In tunnel mode, the entire packet is inside the ESP header. The packet in Figure 6–3 is protected in tunnel mode by an outer IPsec header and, in this case, ESP, as shown in the following figure.

Figure 6-5  IPsec Packet Protected in Tunnel Mode

image:Graphic shows the ESP header after the IP header and before an IP header and a TCP header. The last 2 headers are protected by encryption.

IPsec policy provides keywords for tunnel mode and transport mode. For more information, review the following:

  • For details on per-socket policy, see the ipsec(7P) man page.

  • For an example of per-socket policy, see How to Use IPsec to Protect Web Server Communication With Other Servers.

  • For more information about tunnels, see the ipsecconf(1M) man page.

  • For an example of tunnel configuration, see How to Protect the Connection Between Two LANs With IPsec in Tunnel Mode.

Copyright © 1999, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices Previous Next

Tag » Which Statement Best Describes Ipsec When Used In Tunnel Mode