encapsulation-mode

Function

The encapsulation-mode command sets the encapsulation mode for IP packets.

The undo encapsulation-mode command restores the default encapsulation mode for IP packets.

By default, the encapsulation mode is set to tunnel.

Format

encapsulation-mode { transport | tunnel }

undo encapsulation-mode

Parameters

Parameter	Description	Value
transport	Sets the encapsulation mode to transport.	-
tunnel	Sets the encapsulation mode to tunnel.	-

Views

IPSec proposal view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can configure Authentication Header (AH) or Encapsulating Security Payload (ESP) to ensure security based on data confidentiality. If AH is configured, an AH header is generated; if ESP is configured, an ESP header, an ESP tail, and an ESP authentication field are generated. Two encapsulation modes are available for IPSec: transport and tunnel.

The transport mode is applicable to a scenario in which two hosts, or a host and a security gateway, are communicating with each other. In transport mode, the two devices encrypting and decrypting packets must be the original packet sender and the final receiver, respectively.
The tunnel mode is generally applied to a scenario in which two security gateways are communicating with each other. The packets that are encrypted on the local security gateway can be decrypted only on the peer security gateway. Therefore, an IP packet must be encapsulated using the tunnel mode and an IP header embed. After arriving at the peer security gateway, the IP packet can be decrypted.

Precautions

The encapsulation modes on both IPSec peers must be identical.

Example

# Set the encapsulation mode to transport in the security proposal named prop2.

<HUAWEI> system-view
[HUAWEI] ipsec proposal prop2
[HUAWEI-ipsec-proposal-prop2] encapsulation-mode transport