Filter
Top Products
Chapter 15 IPSec VPN
NBG-460N User’s Guide
224
15.6.7 IPSec Protocol
The IPSec protocol controls the format of each packet. It also specifies how much
of each packet is protected by the encryption and authentication algorithms. IPSec
VPN includes two IPSec protocols, AH (Authentication Header, RFC 2402) and ESP
(Encapsulating Security Payload, RFC 2406).
Note: The NBG-460N and remote IPSec router must use the same IPSec protocol.
Usually, you should select ESP. AH does not support encryption, and ESP is more
suitable with NAT.
15.6.8 Encapsulation
There are two ways to encapsulate packets. Usually, you should use tunnel mode
because it is more secure. Transport mode is only used when the IPSec SA is used
for communication between the NBG-460N and remote IPSec router (for example,
for remote management), not between computers on the local and remote
networks.
Note: The NBG-460N and remote IPSec router must use the same encapsulation.
These modes are illustrated below.
In tunnel mode, the NBG-460N uses the IPSec protocol to encapsulate the entire
IP packet. As a result, there are two IP headers:
• Outside header: The outside IP header contains the IP address of the NBG-460N
or remote IPSec router, whichever is the destination.
• Inside header: The inside IP header contains the IP address of the computer
behind the NBG-460N or remote IPSec router. The header for the IPSec protocol
(AH or ESP) appears between the IP headers.
Figure 141 VPN: Transport and Tunnel Mode Encapsulation
Original Packet IP Header TCP
Header
Data
Transport Mode Packet IP Header AH/ESP
Header
TCP
Header
Data
Tunnel Mode Packet IP Header AH/ESP
Header
IP Header TCP
Header
Data