18.1. Modes of using encryption and authentication
Two modes of encryption and authentication of a connection are possible:
18.1.1. Transport mode
Transport mode is a real end-to-end connection mode. Here, only the payload (usually ICMP, TCP or UDP) is encrypted with their particular header, while the IP header is not encrypted (but usually included in authentication).
Using AES-128 for encryption and SHA1 for authentication, this mode decreases the MTU by 42 octets.
18.1.2. Tunnel mode
Tunnel mode can be used either for end-to-end or for gateway-to-gateway connection modes. Here, the complete IP packet is being encrypted and gets a new IP header prepended .
This mode usually decreases the MTU by 40 octets from the MTU of transport mode.