The encapsulation-mode command sets the IPSec encapsulation mode.
The undo encapsulation-mode command restores the default IPSec encapsulation mode.
By default, the tunnel mode is used.
| Parameter | Description | Value |
|---|---|---|
| transport | Encapsulates IP packets in transport mode. | - |
| tunnel | Encapsulates IP packets in tunnel mode. | - |
| auto | Indicates the auto-sensing mode. The tunnel mode is used if the device serves as the IKE negotiation initiator. If the device serves as the responder, both the tunnel mode and transport mode can be used. | - |
IPSec encapsulates IP packets by adding an AH or ESP header and ESP tail to original IP packets for authentication and encryption. The following two IPSec encapsulation modes are available:
Tunnel mode
In tunnel mode, IPSec adds a new IP header to an IP packet. The source and destination addresses of the new IP header are the IP addresses of two ends of a tunnel. The tunnel mode is more secure than the transport mode. In terms of performance, the tunnel mode consumes more bandwidth than the transport mode.
The tunnel mode is often used between two security gateways. The packets encrypted by one security gateway can only be decrypted by the other security gateway.
Transport mode
In transport mode, IPSec does not add a new header to an IP packet. The source and destination addresses of the original packet are the IP addresses of two ends of a tunnel. In transport mode, the two devices that encrypt and decrypt packets must be the original packet sender and final receiver respectively.
Since most data traffic between two security gateways is not communication traffic of the two gateways, the transport mode is not used between security gateways. The transport mode is suited for the communication between two hosts or between a host and a security gateway; however, the transport mode is not recommended because it provides low security.
Auto-sensing mode
The auto-sensing mode enables IKE peers to negotiate the IPSec encapsulation mode. The receiver supports both the transport mode and tunnel mode, which improves the success rate of IKE negotiation.
The two IPSec tunnel ends must use the same encapsulation mode.
When IKEv2 is used, the encapsulation mode in all the IPSec proposals configured on the IKE negotiation initiator must be the same; otherwise, IKE negotiation fails.
When IKEv2 is used, after the encapsulation-mode auto command is run on the responder, the default duration and traffic for IPSec SA aging are 604800 seconds and 0 (indicating that the traffic timeout function is disabled on the responder), respectively. As a result, the responder cannot proactively initiate IPSec SA re-negotiation.
If both ends use an IPSec policy in ISAKMP mode or an IPSec profile, IKE negotiation initiator FW1 uses the transport mode to establish an IPSec tunnel with the responder FW2 using the auto-sensing mode. When the SA of FW2 is aged out, FW2 functions as the IKE negotiation initiator (using the tunnel mode) to perform IPSec tunnel re-negotiation with FW1. As a result, encapsulation modes on both ends are inconsistent, causing a failure to establish an IPSec tunnel. Therefore, ensure that FW2 using the auto-sensing mode functions only as the IKE negotiation responder. Otherwise, the auto-sensing mode does not apply to this scenario.