VLAN tagged 802.1Q frames can be transported over an internet protocol (IP) network, for example, by using the Generic Routing Encapsulation (GRE) tunneling protocol that encapsulates a wide variety of network layer protocol packet types inside IP tunnels, creating a virtual point-to-point link to different routers. IEEE 802.1Q is commonly referred to as VLAN tagging and allows multiple bridged networks to share transparently the same physical network link without leaking information between the networks. Bridging occurs at the Media Access Control (MAC) layer and allows individual VLAN's to communicate with each other using switched and layer 3 capabilities. Network devices that operate using 802.1Q compatibility work in conjunction with Internet Protocol Security (IPSec) as a suite of protocols that secure internet protocol communications by authenticating and encrypting each IP packet in a data stream. GRE tunnels are usually stateless, i.e., each tunnel endpoint does not maintain information about the state or availability of the remote tunnel endpoint. The GRE protocol requires that a VLAN tagged frame be placed into an IP packet and the resulting IP packet transmitted through an IPSec tunnel. This system and method works, but has significant and unnecessary overhead, and thus, brings about the requirement for a specific network device to transfer directly VLAN tagged frames over an IPSec tunnel with minimal overhead to reduce processing and packet size overhead.
There are some known network devices and systems that encapsulate an IP frame into an IPSec encapsulating security payload (ESP) frame. ESP supports encryption-only and authentication-only configurations, but does not protect the IP packet header. In a tunnel mode, however, the original IP packet is entirely encapsulated with a new packet header added, and thus, ESP protection is afforded to the whole inner IP packet including the inner header while the outer header remains unprotected. The encapsulation surrounds the payload rather than preceding it as in the authentication header (AH) wire-level protocol often used by IPSec. Another similar protocol is layer 2 tunneling protocol (L2TP), which supports virtual private networks, but does not provide encryption or confidentiality. The L2TP packet, including payload and L2TP header, is sent within a UDP datagram.
It is desirable to provide network encryption devices that transport VLAN tagged Ethernet frames through an IPSec tunnel without using GRE or other generic mechanisms, thus, reducing processing and packet size overhead. Greater control over VLAN tagging pass-through and secure IP communications using such devices and systems are desirable.