IPsec VPN Transport Mode question

dragonhunt9111 · ‎08-09-2023

Dear friends,

I am new to VPN IPsec, I have configured this topology in transport mode VPN,

(I have done it in tunnel mode)

But when I configure in transport mode. I ping from PC1 to PC2 success , but, when capturing packet, as theory, I will see source (192.168.3.100) and dest IP (192.168.4.100) right? But I only see IP of wan, same as tunnel mode.

When I show crypto ipsec sa peer 10.4.5.4 on R3, it still said "tunnel mode":

.....
outbound esp sas:
spi: 0xDB51A99C(3679562140)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }

This is my configuration

============================

R3:

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2

crypto isakmp key 123456 address 10.4.5.4
!
!
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
mode transport
!

crypto map CM 10 ipsec-isakmp
set peer 10.4.5.4
set transform-set TS
match address 100
!
access-list 100 permit ip host 192.168.3.100 host 192.168.4.100

R4 similar:

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2

crypto isakmp key 123456 address 10.3.5.3
!
!
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
mode transport
!

crypto map CM 10 ipsec-isakmp
set peer 10.3.5.3
set transform-set TS
match address 100
!
access-list 100 permit ip host 192.168.4.100 host 192.168.3.100

============================

Please help me to explain,

Thank you!!

Karsten Iwen · ‎08-09-2023

Transport mode can only be used if:

The device that protects (encrypts) the data is also the device that generated the data.
The device that decrypts the data is also the device that has to receive the data.

Why is this requirement? In transport mode you don't add a new IP header. But in the way from PC1 to PC2 you need two IP headers. When the packet leaves PC1 the source is PC1 and the destination is PC2. But after encryption, the packet has to traverse the unsecured network. Now a new IP header is added with source of R3 and destination of R4. This additional header can only be added in tunnel mode.

The routers "know" of this and automatically change the operation mode from transport to tunnel.

dragonhunt9111 · ‎08-09-2023

Thanks you Karrsten ,

So this is an expected behavior of router (it encrypt data between PC1 and PC2 even I use transport mode).

I have test PING from 192.168.3.1 of R3 to 192.168.4.1 of R4, then I capture, it still show IP wan as source and dest, not original IP of packet.

Is this also a expected behavior of router. Pls help .

Thanks a lot!!

Karsten Iwen · ‎08-09-2023

This is all expected behavior. Also for the router to router test. Here the new encapsulated packet has the WAN IPs which do not match the traffic that you define in the crypto ACL.

M02@rt37 · ‎08-09-2023

Hello @dragonhunt9111,

In transport mode, only the IP payload (the actual data you're transmitting) is encrypted and/or authenticated, leaving the original IP header intact.

In your configuration, you're using transport mode with encryption between R3 and R4. However, since the original IP headers are left intact, the routers will use the source and destination IP addresses of the original packets in the inner IP header. So, when you capture the packets, you will indeed see the source and destination IPs as they were in the original unencrypted packet, not the WAN IPs.

The reason you see the WAN IPs in the capture is that those are the IP addresses of the routers themselves, and they're used as the endpoints of the VPN tunnel. The routers encapsulate and encrypt the original packets inside their own IP headers, which are used for routing the encrypted traffic between the routers.

So, even in transport mode, your original communication IPs will remain visible within the encrypted tunnel, and the outer IP headers will show the IP addresses of the routers themselves. This behavior is expected and correct for a transport mode IPsec VPN.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.