04-09-2008 02:40 AM - edited 03-09-2019 08:28 PM
Just messing around in a lab with a few routers. Trying to bring up transport mode first on an IPSEC tunnel. All seems correct, but it constantly comes up in Tunnel Mode. I can't see why?
Can anyone see anything obvious?
Enclosed are configs and a WireShark capture of the output - as you can see it's Tunnel Mode - and not Transport.
The output of "show crypto ipsec sa" demonstrates the fact that its Tunnel mode.
04-09-2008 09:23 AM
Fergus
You have showed us parts of the configuration but not some others. The crypto map uses access list 100 to match traffic. Can you tell us what is in this access list?
In the command reference the information about mode transport says that "This setting is only used when the traffic to be protected has the same IP addresses as the IPSec peers (this traffic can be encapsulated either in tunnel or transport mode). This setting is ignored for all other traffic (all other traffic is encapsulated in tunnel mode)"
My guess is that the traffic being sent through IPSec does not meet this condition. If you are interested here is the link:
http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_i2g.html#wp1072724
HTH
Rick
04-10-2008 01:28 AM
Thanks for the reply Rick.
The access list is a catch-all :-
access-list 100 permit ip any any
It's a strange one to grasp really.
"traffic to be protected has the same IP addresses as the IPSec peers "
My routers are peers - 192.168.1.1 & 192.168.1.2
If i ping from .1 to .2, or .2 to .1, in my mind this represented "the same IP addresses as the IPSEC peers". Other than the ping, i don't know how i can simulate peer traffic that would come up in transport mode. Do you?
Once the IPSEC link is built, and it's a tunnel link, i don't think it will ever divert away from this and create a separate transport mode link, so all traffic will ride across it.
It's not a big deal i suppose. Router to router connections don't seem to support transport mode.
I know how the packets would look like, which is the most important thing really. The headers are just in different positions.
Thanks again for taking the time to answer Rick.
04-10-2008 09:11 AM
Fergus
The times that I have used transport mode (and it did work well) was when I was configuring IPSec with GRE tunnels. I used transport mode and the tunnels come up in transport mode. And since the GRE tunnel packets use the router interface as their address they do meet the criteria of the same IP addresses as the IPSEC peers.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide