Transport mode in IPSEC

Cisco Freak · ‎04-22-2017

Hi All,

I am trying to learn the difference between the transport mode and tunnel mode in an IPSEC VPN setup. I have read that transport mode uses original IP header as outer IP header and send data to destination. Tunnel mode adds a new outer IP header and provides encryption service between the VPN gateways only.

Tunnel mode:

|-----Encrypted---------------|

Data | Original IP Header | ESP Header | New IP Header

In Transport mode only the data is encrypted, and the original IP header is placed in front of the ESP header.

|--Encrypted-----|

Data ------ | ESP Header | Original IP Header

Is it right to say that in both the modes, the destination VPN gateway router will decrypt the VPN traffic? If so what is the benefit to transport mode? One less header, is that the benefit with transport mode?

CF

Georg Pauwen · ‎04-22-2017

Hello,

transport mode reduces packet size anywhere between 50 and 57 bytes, depending on the size of the original packet. So that is the main benefit.

Tunnel mode is usually configured for Site-to-site VPNs that are using the public Internet; as it encrypts the entire packet, it is more secure than transport mode.

That is the short answer. Here is a pretty good link:

http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html

Cisco Freak · ‎04-23-2017

Hello Georg,

Can you please explain how transport mode reduces packet size by 50 to 57 bytes? I am not able to understand that. The tunnel mode adds just 1 extra IP header which will add 20 bytes extra. Can you please explain if anything else also change in tunnel mode?

What is the practical use case of transport mode?In which situation we need to use the transport mode?

Krshna

Georg Pauwen · ‎04-23-2017

Hello,

the additional packet size of 50 to 57 bytes in tunnel mode is derived from the size of the padding field in the ESP packet, which depends on the size of the original packet, so it is variable.

Tunnel mode is the default, and used for site to site VPNs. Transport mode is used for e.g. traffic between servers, that is, from end station to end station.

Cisco Freak · ‎04-24-2017

So when we use transport mode to send traffic from 100 clients in site A to 100 clients in site B, all those 200 clients should be have configuration for encrypting and decrypting traffic.Is that right?

Georg Pauwen · ‎04-24-2017

Hello,

the VPN routers (gateways) are taking care of the encryption. You would use transport mode in a private site to site VPN, that is, one that is not using the public Internet.

Cisco Freak · ‎04-24-2017

Sorry. I am getting confused. :(

You mentioned transport mode gives end station to end station communication. If gateways are doing encryption/decryption how is it end to end protection?

Jon Marshall · ‎04-24-2017

With transport mode it has to be end to end protection because the IP header is not changed or to put it another way the VPN traffic is for the tunnel endpoints.

If the VPN traffic is for devices beyond one or both of the tunnel endpoints then you have to use tunnel mode.

Jon

Cisco Freak · ‎04-26-2017

Thanks for explaining it Jon!