166 Fabric OS Administrator’s Guide
53-1001763-02
Management interface security
7

Gateway-to-Gateway Tunnel

In this scenario, neither endpoint of the IP connection implements IPsec, but the network nodes
between them protect traffic for part of the way. Protection is transparent to the endpoints, and
depends on ordinary routing to send packets through the tunnel endpoints for processing. Each
endpoint would announce the set of addresses behind it, and packets would be sent in tunnel
mode where the inner IP header would contain the IP addresses of the actual endpoints.
FIGURE 18 Gateway tunnel configuration

Endpoint-to-Gateway Tunnel

In this scenario, a protected endpoint (typically a portable computer) connects back to its corporate
network through an IPsec-protected tunnel. It might use this tunnel only to access information on
the corporate network, or it might tunnel all of its traffic back through the corporate network in
order to take advantage of protection provided by a corporate firewall against Internet-based
attacks. In either case, the protected endpoint will want an IP address associated with the security
gateway so that packets returned to it will go to the security gateway and be tunneled back.
FIGURE 19 Endpoint to gateway tunnel configuration

RoadWarrior configuration

In endpoint-to-endpoint security, packets are encrypted and decrypted by the host which produces
or consumes the traffic. In the gateway-to-gateway example, a router on the network encrypts and
decrypts the packets on behalf of the hosts on a protected network. A combination of the two is
referred to as a RoadWarrior configuration where a host on the internet requires access to a
network through a security gateway that is protecting the network.

IPsec protocols

IPsec uses two different protocols, Authentication Header (AH) and Encapsulating Security Payload
(ESP), to ensure the authentication, integrity and confidentiality of the communication.