Encapsulation
The SA encapsulation is determined by the type of communications required and determines whether the whole packet or only the data portion of the packet is encrypted and authenticated. There are two modes of encapsulation:
- Transport mode is used for host-to-host communications. In transport mode, only the transferred data of the IP packet is encrypted or authenticated. The routing is intact, since the IP header is neither modified nor encrypted; however, when the authentication header is used, the IP addresses cannot be translated, because to do so would invalidate the hash value.
- Tunnel mode is used to create virtual private networks. In tunnel mode, the entire IP packet is encrypted or authenticated. It is then encapsulated into a new IP packet with a new IP header.
This release does not support a default SA encapsulation. You must manually configure IKE map encapsulation.
Use the encapsulation command in IKE map configuration mode to specify the encapsulation mode to use for the SA.