Home
Topics
VPNs and WAN Security
VPN setup and configuration
IPsec tunnel mode: How it works

Tutorial

IPsec tunnel mode: How it works

Chris Partsenidis

IPsec tunnel mode is usually found between site-to-site virtual private networks (VPNs). In this mode,

Requires Free Membership to View

Login

By submitting you agree to receive email communications from
TechTarget and its partners. Privacy Policy Terms of Use.

IPsec protects the entire IP packet as it transfers from one end to another. IPsec tunnel mode does this by wrapping around the original packet (including the original IP header) and encrypting it with the configured or available encryption algorithms. Next, IPsec adds a new IP header in front of the protected packet and sends it off to the other end of the VPN tunnel.

When the receiving end (the router) accepts the packet, it will reverse the process to find the original IP packet and send it to the local network.

The diagram below (Figure 1) shows an example of a site-to-site network configured with IPsec in tunnel mode:

Figure 1: LAN packets traversing the blue (encrypted) tunnel are wrapped around an IPsec packet using the process described above.

A similar process is followed for a VPN client connecting to its head office using VPN software (like Cisco's VPN Client). The end device at the head office, usually a router or ASA firewall, is configured to accept and terminate client VPN connections and provide access to internal resources. Those interested in configuring a Cisco router to perform this can visit Firewall.cx's Cisco Router VPN Client configuration page. In this example, IPsec works in tunnel mode as it encrypts the original packet. When the original packet arrives at the router or ASA firewall, it will be decrypted and sent to the local network.

It is very important to understand that IPsec tunnel mode protects the entire original packet. No information from the original packet is made visible to the outside world.

This is also illustrated in the diagram below:

Figure 2: An IP packet protected entirely by IPsec tunnel mode protocols. For information on ESP headers, view Firewall.cx's IP security protocol article.

Continue reading this article to learn about IPsec transport mode.

More News and Tutorials

Articles

Related glossary terms

Terms for Whatis.com - the technology online dictionary

This was first published in June 2012

More from Related TechTarget Sites

Networking
Mobile Computing
Telecom
Unified Communications
Networking Channel
Networking UK
Data Backup

Networking
- Will bring your own device security make you sacrifice convenience?
  
  Employee-owned devices can seriously undermine security. But bring your own device is probably here to stay. So what should IT do?
- Marble Security's cloud-based mobile security service augments MDM
  
  Marble Security released its new cloud-based mobile security service that can work with MDM tools for protection of employee-owned mobile devices.
- New VMS feature enables big spines of Mellanox Ethernet ToR switches
  
  A new Layer 3-based Virtual Modular Switch feature on top-of-rack Ethernet switches from Mellanox enables large clusters for leaf-spine architecture.
Mobile Computing
- Bringing BYOD to your enterprise
  
  Bring your own device (BYOD) can be a boon for both employees and enterprises, but clear policies and management tools are needed.
- Meeting technical requirements for mobile health care deployments
  
  IT departments deploying mobile health care solutions must ensure that using mobile devices in health care settings doesn't violate federal laws or compromise security.
- Making the call: Distributed antenna systems and in-building wireless
  
  Distributed antenna systems and in-building wireless solutions are two options to improve wireless cellular coverage within an enterprise facility.
Telecom
- Smartphone adoption spurs advanced services demand in Latin America
  
  Latin American smartphone adoption is more robust than North America's, and the consumers are more mobile-friendly than their peers in developed economies.
- Need for wireless network upgrade is key AT&T/T-Mobile driver
  
  Rising demand for high-quality network service delivery will require operators to undertake a massive wireless network upgrade, driving deals like the AT&T/T-Mobile acquisition.
- Video: ACG Research dissects telecom routing and switching market
  
  In this ACG Research HotSeat video, Managing Partner Ray Mota gives viewers a quarterly update on the telecom service provider routing and switching market.
Unified Communications
- CCIE Voice killed, revived as CCIE Collaboration
  
  The CCIE Voice certification has been retired, with CCIE Collaboration taking its place, advancing IT expertise to include real-time UC capabilities.
- What's the difference between bits and bytes specific to telephony?
  
  The differences between bits and bytes specific to telephony equipment is explained by UC strategies expert Matt Brunk in this expert response.
- Startup Pexip introduces software-based video conferencing bridge
  
  Pexip Infinity is a subscription-based, virtualized video conferencing bridge from the founders of Tandberg.
Networking Channel
- Aruba Networks Partner Program Checklist
  
  Value-added resellers and service providers interested in reselling Aruba networking hardware and software can learn the benefits of becoming an Aruba Networks partner with this standardized checklist. Compare Aruba's reseller partner program with other vendors' offering similar products.
- NetScout Systems Partner Program Checklist
  
  Learn the benefits of becoming a NetScout Systems reseller partner with our Partner Program Checklist.
- Visage Mobile Partner Program Checklist
  
  Learn the benefits of becoming a Visage Mobile reseller partner with our Partner Program Checklist.
Networking UK
- O2 signs UK deal for mobile management offering: SNUK news in brief
  
  SearchNetworkingUK Briefs provides a summary of the week’s new product, services and appointment announcements. This week includes mobile management and much more.
- FCoE or iSCSI? Doesn’t matter! It’s about the Ethernet
  
  Some question the path to network convergence - is it through FCoE or iSCSI? Either way, preparing the existing infrastructure will be key to a healthy network environment.
- Is cloud computing bad for your networking career?
  
  Many network managers may have an emotional resistance to cloud computing, but experts explain the economic benefits and positive career impact outsourcing data centre resources can have.
searchDataBackup
- Zetta improves DataProtect with WAN optimization
  
  Zetta adds WAN optimization to its DataProtect enterprise cloud backup and disaster recovery software.
- SMB data backup strategy must overcome data protection issues
  
  Jason Buffington discusses some of the major data protection issues an SMB must overcome in building their data backup strategy in this podcast.
- HP turns StoreOnce into virtual storage appliance
  
  Hewlett-Packard delivers virtual software appliance version of its StoreOnce deduplication technology and a scalable midrange tape library.

All Rights Reserved,Copyright 2009 - 2013, TechTarget