cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
462
Views
0
Helpful
2
Replies

IPSec Transport Mode

MW20082008
Level 1
Level 1

Quick question:

here is the scenario:

Site-to-site VPN between 2 routers.

Routers separated by public Internet.

RFC 1918 addresses on source and destination networks.

Question:

If in transport mode, IPSec does not encrypt the original IP header, but instead leaves it exposed for routing purposes, is it then true that you cant run IPSec transport mode when you have private address on both ends? You cant route private addresses over the public Internet, of course...hence, my question.

In tunnel mode, the original IP packet is totally encapsulated by an IPSec packet and the IPSec tunnel endpoints are the address that are exposed and used for routing the user traffic. So, of course, tunnel mode is perfectly acceptable

2 Replies 2

dongdongliu
Level 1
Level 1

hi,

transport mode use to protect every user. you can set one to one NAT at the router transforming private addr to public addr for transport mode vpn connection. this is not good for expansibility.

tunnel mode is good for L2L vpn, more flexibIlity and more expansibility, can use private addr

regards

dongdong

OK, Dong:

So, if I understand you correctly, what you're saying is that the only way to use IPSec transport mode with private addresses is to NAT them to public addresses --- which makes perfect sense and is something I would have done. I was wondering if I understood the technology and its limitations correctly in the first place, though.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: