Packet Encapsulation in IPsec

Packet encapsulation is handled by ESP or AH or both for an IPsec tunnel. Encapsulation includes encrypting the data portion of the header if ESP is being used, adding the appropriate header to provide the IPsec peer with information on how to decrypt the data (for ESP), and generating hashes to be used by the peer for verifying that the data (and the IP header in the case of AH) was not tampered with in transit.

Encapsulation can occur in two main ways:

  • Transport mode

  • Tunnel mode

Transport Mode

In transport mode, the original IP header of the packet that is being encrypted is used to transport the packet. An additional header for ESP or AH (or both) is inserted between the packet's IP header and its IP payload. This ...

Get Network Security Principles and Practices now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.