Understanding IPsec Operational Modes

IPsec operates in one of two modes—Transport or Tunnel.

When both ends of the tunnel are hosts, you can use either mode. When at least one of the endpoints of a tunnel is a security gateway, such as a router or firewall, you must use Tunnel mode. Juniper Networks devices always operate in Tunnel mode for IPsec tunnels.

Transport Mode

The original IP packet is not encapsulated within another IP packet, as shown in Figure 79. The entire packet can be authenticated with the Authentication Header protocol (AH), the payload can be encrypted with Encapsulating Security Payload protocol (ESP), and the original header remains in plaintext as it is sent across the WAN.

Figure 79: Transport Modes

Tunnel Mode

The entire original IP packet—payload and header—is encapsulated within another IP payload and a new header is appended to it, as shown in Figure 80. The entire original packet can be encrypted, authenticated, or both. With the Authentication Header (AH) protocol, the AH and new headers are also authenticated. With the Encapsulating Security Payload (ESP) protocol, the ESP header can also be authenticated.

Figure 80: Tunnel Modes

In a site-to-site VPN, the source and destination addresses used in the new header are the IP addresses of the outgoing interface (in NAT or Route mode) or the VLAN1 IP address (in Transparent mode); the source and destination addresses of the encapsulated packets are the addresses of the ultimate endpoints of the connection. See Figure 81.

Figure 81: Site-to-Site VPN in Tunnel Mode

In a dial-up VPN, there is no tunnel gateway on the VPN dial-up client end of the tunnel; the tunnel extends directly to the client itself (see Figure 82). In this case, on packets sent from the dial-up client, both the new header and the encapsulated original header have the same IP address: that of the client's computer. See Figure 82.

Note: Some VPN clients such as the NetScreen-Remote allow you to define a virtual inner IP address. In such cases, the virtual inner IP address is the source IP address in the original packet header of traffic originating from the client, and the IP address that the ISP dynamically assigns the dia-lup client is the source IP address in the outer header.

Figure 82: Dial-up VPN in Tunnel Mode

Related Topics

• Understanding IPsec Security Protocols
• Understanding IPsec Security Associations (SAs)
• Understanding IPsec Key Management
• Understanding IKE and IPsec Packets
• Understanding IPsec Tunnel Negotiation
• Configuring an IKE IPsec Tunnel—Overview

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.