8
In tunnel mode, the original IP datagram is placed inside a new datagram, and AH or ESP are inserted between the IP header of the new packet and the original IP datagram. The new header points to the tunnel endpoint, and the original header points to the final destination of the datagram. Tunnel mode offers the advantage of complete protection of the encapsulated datagram and the possibility to use private or public address space. Tunnel mode is meant to be used by
With IPSec tunnel mode:
If AH is used, the outer header is authenticated as well as the tunneled packet:
New IP header | AH | Old IP | Payload |
|
| header |
|
New IP header
AH
Old IP header Payload
Authenticated
00128
If ESP is used, the protection is offered only to the tunneled packet, not to the new outer IP header. By default, ESP, providing the highest level of confidentiality, is used in this release.
New IP header ESP header Old IP Payload ESP trailer ESP auth header
New IP header
ESP header Old IP header Payload
ESP trailer ESP auth
Authenticated
Encrypted00129
Building VPN on ESP
Tunneling takes the original IP header and encapsulates it within ESP. Then it adds a new IP header, containing the address of a gateway, to the packet. Tunneling allows you to pass nonrouteable and private (RFC 1918) IP addresses through a public network that otherwise would not be accepted. Tunneling with ESP using encryption also has the advantage of hiding the original source and destination addresses from the users on the public network, reducing the chances of traffic analysis attacks. Tunneling with ESP can conceal the addresses of sensitive internal nodes, protecting them from attacks and hiding its existence to outside machines.
Protocol Negotiation and Key Management
To successfully use the IPSec protocol, two gateway systems must negotiate the algorithms used for authentication and encryption. The gateway systems must authenticate themselves and choose session keys that will secure the traffic. The exchange of this information leads to the creation of a security association (SA). An SA is a policy and set of keys used to protect a one-
330 | Nokia Network Voyager for IPSO 4.0 Reference Guide |
