Configures the security
of IP datagrams based on header placement. Tunnel mode applies security
to a completely encapsulated IP datagram, while Transport does not. Default
is Tunnel mode.
Privilege:
Security Administrator,
Administrator
Syntax
mode { transport | tunnel }
default mode
transport
In Transport mode,
the IPSec header is applied only over the IP payload, not over the
IP header in front of it. The AH and/or ESP headers appear
between the original IP header and the IP payload, as follows:
Original IP header,
IPSec headers (AH and/or ESP), IP payload (including transport header).
Transport mode is used
for host-to-host communications and is generally unsuited to PDIF traffic.
tunnel
In Tunnel mode, the
original IP header is left intact, so a complete IP datagram is encapsulated,
forming a virtual tunnel between IPSec-capable devices. The IP datagram
is passed to IPSec, where a new IP header is created ahead of the
AH and/or ESP IPSec headers, as follows:
New IP header, IPSec
headers (AH and/or ESP), old IP header, IP payload.
Tunnel mode is used
for network-to-network communications (secure tunnels between routers)
or host-to-network and host-to-host communications over the Internet.
This is the default
setting for this command.
default mode
Sets the default IPSec
Mode to Tunnel.
Usage:
IPSec modes are closely
related to the function of the two core protocols, the Authentication
Header (AH) and Encapsulating Security Payload (ESP). Both of these
protocols provide protection by adding to a datagram a header (and
possibly other fields) containing security information. The choice
of mode does not affect the method by which each generates its header,
but rather, changes what specific parts of the IP datagram are protected
and how the headers are arranged to accomplish this.
Example:
The following command
configures the default Tunnel mode:
default mode