About IPsec Encapsulation Modes

IPsec can operate in either transport or tunnel mode. You specify the encapsulation mode in the IPsec proposal, then select the proposal in Step 1 of 4 of the IPsec policy.

Transport Mode

In transport mode, a packet is encapsulated with an IPsec header (AH Authentication Header or ESP Encapsulating Security Protocol ) before the IP header is added. Therefore, both ends of the tunnel must be the ultimate originators of the traffic and must support IPsec. You can use transport mode to secure traffic for sessions that terminate on the Threat Management Services (TMS) zl Module itself. Transport mode provides flexibility and security, but it can be difficult and "expensive" to implement, because the client must add the IPsec header before it adds an IP header and transmits the data.

The IPsec header encapsulates the payload at the Transport Layer (Layer 4). An IP header then encapsulates the IPsec packet. An AH header authenticates the entire packet, including the IP header. The ESP header authenticates only the payload but can also encrypt the payload.

Tunnel Mode

IPsec tunnel mode, which operates at the Network Layer, allows a gateway device (such as the TMS zl Module) to secure traffic on behalf of endpoints within the private network.

The TMS zl Module receives a packet that is already encapsulated with an IP header. If the packet is selected for the IPsec tunnel, the module encapsulates the IP packet with an IPsec header as well as a new delivery IP header that directs the packet to the remote tunnel endpoint.

In tunnel mode, an AH header authenticates both the payload (including the original IP header) and the delivery IP header. An ESP header authenticates only the payload (including the original IP header) but can also encrypt the payload.