IPsec tunnel mode is usually found between site-to-site virtual private networks (VPNs). In this mode, IPsec protects...
the entire IP packet as it transfers from one end to another. IPsec tunnel mode does this by wrapping around the original packet (including the original IP header) and encrypting it with the configured or available encryption algorithms. Next, IPsec adds a new IP header in front of the protected packet and sends it off to the other end of the VPN tunnel.
When the receiving end (the router) accepts the packet, it will reverse the process to find the original IP packet and send it to the local network.
The diagram below (Figure 1) shows an example of a site-to-site network configured with IPsec in tunnel mode:
Figure 1: LAN packets traversing the blue (encrypted) tunnel are wrapped around an IPsec packet using the process described above.
A similar process is followed for a VPN client connecting to its head office using VPN software (like Cisco's VPN Client). The end device at the head office, usually a router or ASA firewall, is configured to accept and terminate client VPN connections and provide access to internal resources. Those interested in configuring a Cisco router to perform this can visit Firewall.cx's Cisco Router VPN Client configuration page. In this example, IPsec works in tunnel mode as it encrypts the original packet. When the original packet arrives at the router or ASA firewall, it will be decrypted and sent to the local network.
It is very important to understand that IPsec tunnel mode protects the entire original packet. No information from the original packet is made visible to the outside world.
This is also illustrated in the diagram below:
Figure 2: An IP packet protected entirely by IPsec tunnel mode protocols. For information on ESP headers, view Firewall.cx's IP security protocol article.
Continue reading this article to learn about IPsec transport mode.