Ipsec tunnel, Ipsec tunnel interface, Ipsec tunnel interface overview – H3C Technologies H3C SecPath F1000-E User Manual

Page 166: Ipsec tunnel interface operation

154

If the number of IPsec tunnels in your network is small, use the manual mode. If the number of IPsec

tunnels is large, use the ISAKMP mode.

IPsec tunnel

An IPsec tunnel is a bidirectional channel created between two peers. An IPsec tunnel comprises one or

more pairs of SAs.

IPsec tunnel interface

IPsec tunnel interface overview

An IPsec tunnel interface is a Layer 3 logical interface. It supports dynamic routing. All packets including

multicast packets that are routed to an IPsec tunnel interface are IPsec protected.
The IPsec tunnel interface has the following advantages:

•

Simplified configuration. The IPsec tunnel interface is easier to configure compared to using access
control lists (ACLs) to identify protected packets. The IPsec tunnel interface improves network

scalability and reduces maintenance costs.

•

Reduced payload. The IPsec tunnel interface requires less protocol costs and uses less bandwidth
than IPsec over GRE and IPsec over L2TP, which require a GRE header or L2TP header to be added

to each packet.

•

Flexible service application. You can apply a service such as NAT or QoS to packets before or after
they are encrypted by IPsec. To handle packets prior to IPsec encryption, apply the service to the
IPsec tunnel interface. To handle IPsec encrypted packets, apply the service to the physical

outbound interface.

IPsec tunnel interface operation

IPsec encapsulation and de-encapsulation occur on IPsec tunnel interfaces.

Figure 96

shows how a clear

text packet arriving at a router is forwarded to the IPsec tunnel interface, encapsulated, and forwarded
out.

Figure 96 Encapsulation process of a clear text packet

The router forwards a clear text packet received on the inbound interface to the forwarding
module.

The forwarding module looks up the routing table and, if the packet must be IPsec protected,

forwards the packet to the IPsec tunnel interface. The original IP packet is encapsulated into to form
a new IP packet. The source and destination of the new packet are respectively the source and

destination address of the tunnel interface.

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS