RE: Tunnel in IPSec network

From: Robert Neil (RNeil@nova-data.com)
Date: Wed Nov 20 2002 - 12:42:17 GMT-3

• Next message: Daniel Garrity: "RE: Confreg problem...help!"
• Previous message: Peter van Oene: "Re: Real world problem"
• Maybe in reply to: Hunt Lee: "Tunnel in IPSec network"
• Next in thread: Larson, Chris: "RE: Tunnel in IPSec network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

My understanding is that in Transport mode the ESP header is added before
the ip header is and only the ip payload is encrypted - the ESP and IP
headers are not encrypted.

In Tunnel mode the ESP header is added after the ip header is added and both
the ESP and ip headers are encrypted along with the payload. Then the
encrypted packet is encapsulated into a new ip packet with a new header.

Tunnel mode is the most common and is typically used between site-to-site or
client-to-site scenarios where basically a user is accessing some sort of
remote LAN resource. Transport mode is used when the terminating gateway is
also the target resource.

robert

-----Original Message-----
From: Larson, Chris [mailto:CLarson@usaid.gov]
Sent: Wednesday, November 20, 2002 7:57 AM
To: 'Hunt Lee'; 'ccielab@groupstudy.com'
Subject: RE: Tunnel in IPSec network

I am not sure about this anymore but it used to be that only AH would be
used in a non-tunnel mode IPSEC. That being the case there is no encryption
and this is only good for integrity checking/authentication. The AH or
transport mode header is placed at the beginning of the data portion of the
packet. In transport mode a packet header is added to the packet and the
packet is encrypted.

The advantages being that tunnel mode uses ESP and DES and the whole packet
is encrypted and encapsulated. tunnel mode.
AH does not used encryption and is only good for checking data integrity and
authentication or identity. Tranport mode.

> -----Original Message-----
> From: Hunt Lee [SMTP:huntl@webcentral.com.au]
> Sent: Wednesday, November 20, 2002 2:35 AM
> To: 'ccielab@groupstudy.com'
> Subject: Tunnel in IPSec network
>
> In an IPSec network, in order to create the Transform-Set, we can use
> either
> tunnel mode (default) or transport mode. my question is: when to use
> which?
> how do we justify which one to use? how do you you compare these 2 methods
> in terms of adv vs disadv? Thanks.
>
> Regards,
> H.

• Next message: Daniel Garrity: "RE: Confreg problem...help!"
• Previous message: Peter van Oene: "Re: Real world problem"
• Maybe in reply to: Hunt Lee: "Tunnel in IPSec network"
• Next in thread: Larson, Chris: "RE: Tunnel in IPSec network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:23:07 GMT-3