Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 02-08-2013, 11:57 PM   #1
Senior Member
Registered: May 2009
Location: WV, USA
Distribution: Slackware, Ubuntu, Amazon Linux
Posts: 1,850
Blog Entries: 21

Rep: Reputation: 119Reputation: 119
Why does IPsec needs its own tunnel mode?

Why can't the tunnel mode of IPsec simply be another layer providing encapsulation? For example, if I have:

1. LAN#1 with subnet
2. Router#1 on LAN#1 with public IP
3. Router#2 on LAN#2 with public IP
4. LAN#2 with subnet

I cannot just route the 2 private subnets over the internet. I need to encapsulate them so that real routable IPs are the face of the packet, while the private IPs are just payload from the internet point of view. That's encapsulation.

Now all I need to do is have IPsec recognize that I want all traffic between and to be encrypted.

How is this not 2 distinct layers?
Old 02-09-2013, 07:09 PM   #2
Ser Olmy
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 2,507

Rep: Reputation: Disabled
IPsec tunnel mode IS a layer of encapsulation. The original datagram is encrypted, header and all, and encapsulated in an IP protocol 50 packet (IPsec ESP).

You could combine something like GRE and IPsec transport mode and achieve basically the same result.
Old 02-09-2013, 09:16 PM   #3
Senior Member
Registered: May 2009
Location: WV, USA
Distribution: Slackware, Ubuntu, Amazon Linux
Posts: 1,850
Blog Entries: 21

Original Poster
Rep: Reputation: 119Reputation: 119
Why isn't the encapsulation that IPsec has simply a separately defined protocol? Why is it "a part of" IPsec? Is it considered superior to other encapsulation protocols? Or is it specifically optimal for IPsec? Why is it considered a "mode" (transport vs. tunnel)? Can I have BOTH transported traffic (using public IP to public IP) as well as tunneled traffic (using private IP to private IP) on the same IPsec path?

I am interested in determining if it is possible to set up an IPsec encrypted tunnel for a VPN, where the point that IPsec encryption takes place is separate from where the tunnel endpoint (where encapsulation and decapsulation takes place). The following reprents 4 hosts, 2 LANs, and the Internet:


Last edited by Skaperen; 02-09-2013 at 09:34 PM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
CentOS IPSec Tunnel Mode with NAT-Traversal azrael808 Linux - Security 4 11-23-2012 04:37 PM
Strongswan - IPsec tunnel - can we have one way tunnel vishalwithme Linux - Networking 4 04-05-2012 01:07 AM
IPSec tunnel over multiple interfaces tylerl Linux - Networking 0 07-21-2005 06:07 PM
IPSEC Tunnel behind NAT pssst_yeah_you Linux - Networking 0 06-23-2004 05:54 PM
2.6 IPSEC Tunnel mode gateway mhiggins Linux - Networking 1 02-28-2004 02:50 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:38 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration