Cisco Cisco Packet Data Gateway (PDG) Guia De Resolução De Problemas
IPSec Transform Set Configuration Mode Commands
mode ▀
Cisco ASR 5000 Series Command Line Interface Reference ▄
OL-22947-02
mode
Configures the security of IP datagrams based on header placement. Tunnel mode applies security to a completely
encapsulated IP datagram, while Transport does not. Default is Tunnel mode.
encapsulated IP datagram, while Transport does not. Default is Tunnel mode.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
In Transport mode, the IPSec header is applied only over the IP payload, not over the IP header in front of it.
The AH and/or ESP headers appear between the original IP header and the IP payload, as follows:
Original IP header, IPSec headers (AH and/or ESP), IP payload (including transport header).
Transport mode is used for host-to-host communications and is generally unsuited to PDIF traffic.
The AH and/or ESP headers appear between the original IP header and the IP payload, as follows:
Original IP header, IPSec headers (AH and/or ESP), IP payload (including transport header).
Transport mode is used for host-to-host communications and is generally unsuited to PDIF traffic.
In Tunnel mode, the original IP header is left intact, so a complete IP datagram is encapsulated, forming a
virtual tunnel between IPSec-capable devices. The IP datagram is passed to IPSec, where a new IP header is
created ahead of the AH and/or ESP IPSec headers, as follows:
New IP header, IPSec headers (AH and/or ESP), old IP header, IP payload.
Tunnel mode is used for network-to-network communications (secure tunnels between routers) or host-to-
network and host-to-host communications over the Internet.
This is the default setting for this command.
virtual tunnel between IPSec-capable devices. The IP datagram is passed to IPSec, where a new IP header is
created ahead of the AH and/or ESP IPSec headers, as follows:
New IP header, IPSec headers (AH and/or ESP), old IP header, IP payload.
Tunnel mode is used for network-to-network communications (secure tunnels between routers) or host-to-
network and host-to-host communications over the Internet.
This is the default setting for this command.
Usage
IPSec modes are closely related to the function of the two core protocols, the Authentication Header (AH)
and Encapsulating Security Payload (ESP). Both of these protocols provide protection by adding to a
datagram a header (and possibly other fields) containing security information. The choice of mode does not
affect the method by which each generates its header, but rather, changes what specific parts of the IP
datagram are protected and how the headers are arranged to accomplish this.
and Encapsulating Security Payload (ESP). Both of these protocols provide protection by adding to a
datagram a header (and possibly other fields) containing security information. The choice of mode does not
affect the method by which each generates its header, but rather, changes what specific parts of the IP
datagram are protected and how the headers are arranged to accomplish this.
Example
The following command configures the default Tunnel mode:
The following command configures the default Tunnel mode: