3.1.2. Tunnel Mode

In tunnel mode, the "inner" IP header carries the ultimate (IP) source and destination addresses, while an "outer" IP header contains the addresses of the IPsec "peers," e.g., addresses of security gateways. Mixed inner and outer IP versions are allowed, i.e., IPv6 over IPv4 and IPv4 over IPv6. In tunnel mode, AH protects the entire inner IP packet, including the entire inner IP header. The position of AH in tunnel mode, relative to the outer IP header, is the same as for AH in transport mode. The following diagram illustrates AH tunnel mode positioning for typical IPv4 and IPv6 packets.

    ----------------------------------------------------------------
IPv4 |                              |    | orig IP hdr*  |   |      |
     |new IP header * (any options) | AH | (any options) |TCP| Data |
     ----------------------------------------------------------------
     |<- mutable field processing ->|<------ immutable fields ----->|
     |<- authenticated except for mutable fields in the new IP hdr->|

    --------------------------------------------------------------
IPv6 |           | ext hdrs*|    |            | ext hdrs*|   |    |
     |new IP hdr*|if present| AH |orig IP hdr*|if present|TCP|Data|
     --------------------------------------------------------------
     |<--- mutable field -->|<--------- immutable fields -------->|
     |       processing     |
     |<-- authenticated except for mutable fields in new IP hdr ->|

      * = if present, construction of outer IP hdr/extensions and
          modification of inner IP hdr/extensions is discussed in
          the Security Architecture document.