ESP Tunnel Mode

As shown in Figure 8.10, when in tunnel mode the inner IP header (the original packet header) carries the ultimate source and destination addresses, and the outer IP header might contain addresses of security gateways.

Figure 8.10 ESP Tunnel Mode

The Signed area indicates where the packet has been signed for integrity and authentication. The Encrypted area indicates what information is protected with confidentiality.

Because a new header for tunneling is placed on the packet, everything following the ESP header is signed (except for the ESP authentication trailer), as it is now encapsulated in the tunneled packet. The original header is placed after the ESP header.

The entire packet is appended with an ESP trailer prior to encryption. Everything following the ESP header, except for the ESP authentication trailer, is encrypted, including the original header because it is now considered to be part of the data portion.

The entire ESP payload is then encapsulated within the new tunnel header, which is not encrypted. The information in the new tunnel header is only used to route the packet from origin to destination.

If the packet is being sent across a public network, the packet is routed to the IP address of the tunnel server for the receiving intranet. The packet itself is most likely destined for an intranet computer. The tunnel server decrypts the packet, throws away the ESP header, and uses the original IP header to route the packet to the intranet computer.