When the receiving end (the router) accepts the packet, it will reverse the process to find the original IP packet and send it to the local network.
The diagram below (Figure 1) shows an example of a site-to-site network configured with IPsec in tunnel mode:
Figure 1: LAN packets traversing the blue (encrypted) tunnel are wrapped around an IPsec packet using the process described above.
A similar process is followed for a VPN client connecting to its head office using VPN software (like Cisco's VPN Client). The end device at the head office, usually a router or ASA firewall, is configured to accept and terminate client VPN connections and provide access to internal resources. Those interested in configuring a Cisco router to perform this can visit Firewall.cx's Cisco Router VPN Client configuration page. In this example, IPsec works in tunnel mode as it encrypts the original packet. When the original packet arrives at the router or ASA firewall, it will be decrypted and sent to the local network.
It is very important to understand that IPsec tunnel mode protects the entire original packet. No information from the original packet is made visible to the outside world.
This is also illustrated in the diagram below:
Figure 2: An IP packet protected entirely by IPsec tunnel mode protocols. For information on ESP headers, view Firewall.cx's IP security protocol article.
Continue reading this article to learn about IPsec transport mode.
This was first published in June 2012