H3C Technologies H3C SecPath F1000-E User Manual
Page 133
5
Figure 2 Encapsulation process of a clear text packet
1.
The router forwards a clear text packet received on the inbound interface to the forwarding
module.
2.
The forwarding module looks up the routing table and, if the packet must be IPsec protected,
forwards the packet to the IPsec tunnel interface. The original IP packet is encapsulated into to form
a new IP packet. The source and destination of the new packet are respectively the source and
destination address of the tunnel interface.
3.
The IPsec tunnel interface encapsulates the packet, and then sends the packet to the forwarding
module.
4.
The forwarding module looks up the routing table again and forwards the IPsec-encrypted packet
out of the physical interface that is associated with the tunnel interface.
shows how an IPsec packet is de-encapsulated on an IPsec tunnel interface.
Figure 3 De-encapsulation process of an IPsec packet
1.
The router forwards an IPsec packet received on the inbound interface to the forwarding module.
2.
Identifying that the destination address of the packet is the tunnel interface and the protocol is AH
or ESP, the forwarding module forwards the packet to the IPsec tunnel interface for
de-encapsulation.
3.
The IPsec tunnel interface de-encapsulates the packet, and then delivers the resulting clear text
packet to the forwarding module.
4.
The forwarding module looks up the routing table, and then forwards the clear text packet out of
the physical interface associated with the tunnel interface.
Owe to the IPsec tunnel interface, two distinct phases exist: pre-encryption phase and post-encryption
phase. This separation allows you to apply features such as NAT and QoS in proper phases flexibly as
required. For example, if you want to apply QoS to packets before IPsec encapsulation, apply the QoS