152
The card processes all IPsec protected packets and hands the processed packets back to the device
for forwarding.
IPsec tunnel interface
An IPsec tunnel interface is a Layer 3 logical interface. It supports dynamic routing. All packets
including multicast packets that are routed to an IPsec tunnel interface are IPsec protected.
The IPsec tunnel interface has the following advantages:
• Simplified configuration—The IPsec tunnel interface is easier to configure compared to using
access control lists (ACLs) to identify protected packets. The IPsec tunnel interface improves
network scalability and reduces maintenance costs.
• Reduced payload—The IPsec tunnel interface requires less protocol costs and uses less
bandwidth than IPsec over GRE and IPsec over L2TP, which require a GRE header or L2TP
header to be added to each packet.
• Flexible service application—You can apply a service such as NAT or QoS to packets before
or after they are encrypted by IPsec. To handle packets prior to IPsec encryption, apply the
service to the IPsec tunnel interface. To handle IPsec encrypted packets, apply the service to
the physical outbound interface.
Operation of the IPsec tunnel interface
IPsec encapsulation and de-encapsulation occur on IPsec tunnel interfaces. Figure 53 shows how a
clear text packet arriving at a router is forwarded to the IPsec tunnel interface, encapsulated, and
forwarded out.
Figure 53 Encapsulation process of a clear text packet
1. The router forwards a clear text packet received on the inbound interface to the forwarding
module.
2. The forwarding module looks up the routing table and, if the packet must be IPsec protected,
forwards the packet to the IPsec tunnel interface. The original IP packet is encapsulated into to
form a new IP packet. The source and destination of the new packet are respectively the source
and destination address of the tunnel interface.
3. The IPsec tunnel interface encapsulates the packet, and then sends the packet to the
forwarding module.
4. The forwarding module looks up the routing table again and forwards the IPsec-encrypted
packet out of the physical outbound interface that is associated with the tunnel interface.
Figure 54 sh
ows how an IPsec packet is de-encapsulated on an IPsec tunnel interface.
To Next Page
Loading...
Need help?
General
