Filter
Top Products
Chapter 13 VPN 199
BCM50a Integrated Router Configuration — Basics
Tunnel mode
Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel
mode is required for gateway services to provide access to internal systems.
Tunnel mode is fundamentally an IP tunnel with authentication and encryption.
This is the most common mode of operation. Tunnel mode is required for
BCM50a Integrated Router to BCM50a Integrated Router and host to BCM50a
Integrated Router communications. Tunnel mode communications have two sets
of IP headers:
Outside header: The outside IP header contains the destination IP address of the
BCM50a Integrated Router.
Inside header: The inside IP header contains the destination IP address of the
final system behind the BCM50a Integrated Router. The security protocol appears
after the outer IP header and before the inside IP header.
IPSec and NAT
Read this section if you are running IPSec on a host computer behind the BCM50a
Integrated Router.
NAT is incompatible with the AH protocol in both Transport and Tunnel mode.
An IPSec VPN using the AH protocol digitally signs the outbound packet, both
data payload and headers, with a hash value appended to the packet. When using
AH protocol, packet contents (the data payload) are not encrypted.
A NAT device in between the IPSec endpoints rewrites either the source or
destination address with one of its own choosing. The VPN device at the receiving
end verifies the integrity of the incoming packet by computing its own hash value,
and complains that the hash value appended to the received packet does not
match. The VPN device at the receiving end does not know about the NAT in the
middle, so it assumes that the data was maliciously altered.