 |
Note: For information about ESP, see Encapsulating Security Payload (ESP) Protocol. For information about Tunnel mode, see Tunnel Mode. |
After IKE negotiations complete and the two IKE gateways have established Phase 1 and Phase 2 security associations (SAs), the device applies IPsec protection to subsequent clear-text IP packets that hosts behind one IKE gateway send to hosts behind the other gateway (assuming that policies permit the traffic). If the Phase 2 SA specifies the Encapsulating Security Protocol (ESP) in Tunnel mode, the packet looks like the one shown below. The device adds two additional headers to the original packet that the initiating host sends.
|
Note: For information about ESP, see Encapsulating Security Payload (ESP) Protocol. For information about Tunnel mode, see Tunnel Mode. |
As shown in Figure 83, the packet that the initiating host constructs includes the payload, the TCP header, and the inner IP header (IP1).
Figure 83: IPsec Packet—ESP in Tunnel Mode
The outer IP header (IP2), which JUNOS software with enhanced services adds, contains the IP address of the remote gateway as the destination IP address and the IP address of the local router as the source IP address. JUNOS software with enhanced services also adds an ESP header between the outer and inner IP headers. The ESP header contains information that allows the remote peer to properly process the packet when it receives it. This is illustrated in Figure 84.
Figure 84: Outer IP Header (IP2) and ESP Header
The Next Header field indicates the type of data in the payload field. In Tunnel mode, this value is 4, indicating IP-in-IP. If ESP is applied in Transport mode, this value indicates a Transport Layer protocol such as 6 for TCP or 17 for UDP. See Figure 85.
Figure 85: Inner IP Header (IP1) and TCP Header
