Tunnel Versus Transport Mode

Previous page
Table of content
Next page

When sending data between two VPN endpoints, IPSec can add additional Layer 3 security information to IPSec packets. For example, when two VPN gateways communicate, anyone in the untrusted network can see the source IP address as well as the destination IP address. She could over time perform network analysis and map out both internal structures. To mitigate this type of threat, you can configure IPSec to use tunnel mode. Tunnel mode encapsulates the original Layer 3 header and payload inside an IPSec packet. In this way, the source and destination IP addresses that traverse the Internet are always the same. The outside IP addresses in the new IP header are of both VPN gateways. Tunnel mode does add overhead to each packet as well as use some additional CPU resources.

If you have a remote access IPSec connection, it makes no sense to burden the IPSec devices to create an additional Layer 3 header. The source and destination IP address will not change. For this reason, IPSec devices initiating IPSec sessions should be configured to run in transport mode. In transport mode, no additional Layer 3 header is created. The original Layer 3 header is used.


Previous page
Table of content
Next page
CCSP SECUR Exam Cram 2
CCSP SECUR Exam Cram 2 (642-501)
ISBN: B000MU86IQ
EAN: N/A
Year: 2003
Pages: 291
Authors: Raman Sud
BUY ON AMAZON
Project Management JumpStart
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
File System Forensic Analysis
Junos Cookbook (Cookbooks (OReilly))
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy