IPsec encapsulation
Encapsulation IPsec supports two modes: transport mode and tunnel mode.
-
Transmission mode (Transport Mode)
security protocol in this mode is mainly used to protect the upper layer protocol packets, only the data is used to calculate the transport layer security protocol header to generate a security
full protocol header and the encrypted user data (only for ESP encapsulation) placed behind the original IP header. If the required end to end security,
ie packet start and end points for the secure transmission of data packets of the actual start and end, in order to use transmission mode.
As shown, the normal transmission mode for securing data between two hosts.
-
Tunnel mode (Tunnel Mode)
security protocol in this mode to protect the entire IP packet, the entire user IP packets are used to calculate the security protocol header to generate a
security protocol header and the encrypted user data (ESP encapsulation only for ) are encapsulated in a new IP packet. In this mode,
the encapsulated IP packets both internal and external IP header, wherein the inner IP header to the original IP header, an IP header provided by the external security services provided
to add apparatus. In the case of security provided by the device, the data packet for secure transmission start or end of the packet is not the actual starting
time point and an end point (e.g., after the host security gateway), tunnel mode must be used.
As illustrated, the tunnel mode is generally used to protect data between two security gateways.
Different security protocols and combinations of data in the form of tunnel encapsulation and transmission mode: