Chapter 16 VPN
P-661HNU-Fx User’s Guide
232
which is unchanged by a NAT device. The compatibility of AH and ESP with NAT in
tunnel and transport modes is summarized in the following table.
Y* - This is supported in the ZyXEL Device if you enable NAT traversal.
16.6.4 Encapsulation
The two modes of operation for IPSec VPNs are Transport mode and Tunnel
mode.
Figure 103 Transport and Tunnel Mode IPSec Encapsulation
Tunnel Mode
Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel
mode is required for gateway services to provide access to internal systems.
Tunnel mode is fundamentally an IP tunnel with authentication and encryption.
This is the most common mode of operation. Tunnel mode is required for
gateway to gateway and host to gateway communications. Tunnel mode
communications have two sets of IP headers:
• Outside header: The outside IP header contains the destination IP address of
the VPN gateway.
• Inside header: The inside IP header contains the destination IP address of the
final system behind the VPN gateway. The security protocol appears after the
outer IP header and before the inside IP header.
Table 62 VPN and NAT
SECURITY
PROTOCOL
MODE NAT
AH Transport N
AH Tunnel N
ESP Transport Y*
ESP Tunnel Y
To Next Page
Loading...
