IPSec Modes

The last major consideration is the type of IPSec mode you wish to implement in your network. The JUNOS software supports the following IPSec modes:

• Tunnel mode is supported for both AH and ESP in the JUNOS software and is the usual choice for a routing platform. In tunnel mode, the SA and associated protocols are applied to tunneled IPv4 or IPv6 packets. For a tunnel mode SA, an outer IP header specifies the IPsec processing destination, and an inner IP header specifies the ultimate destination for the packet. The security protocol header appears after the outer IP header, and before the inner IP header. In addition, there are slight differences for tunnel mode when you implement it with AH and ESP:
  • For AH, portions of the outer IP header are protected, as well as the entire tunneled IP packet.
  • For ESP, only the tunneled packet is protected, not the outer header.

  When one side of a security association is a security gateway (such as a routing platform), the SA must use tunnel mode. However, when traffic (for example, SNMP commands or BGP sessions) is destined for a routing platform, the system acts as a host. Transport mode is allowed in this case because the system does not act as a security gateway and does not send or receive transit traffic.

• Transport mode provides a security association between two hosts. In transport mode, the protocols provide protection primarily for upper layer protocols. For IPv4 and IPv6 packets, a transport mode security protocol header appears immediately after the IP header and any options, and before any higher layer protocols (for example, TCP or UDP). There are slight differences for transport mode when you implement it with AH and ESP:
  • For AH, selected portions of the IP header are protected, as well as selected portions of the extension headers and selected options within the IPv4 header.
  • For ESP, only the higher layer protocols are protected, not the IP header or any extension headers preceding the ESP header.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.