Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
803
Views
0
Helpful
2
Replies

IPSEC mode

Go to solution
alan-wong
Level 1
Level 1

‎09-26-2013 06:29 AM - edited ‎03-07-2019 03:41 PM

I would like to know which mode "transport" or "tunnel" mode is more secure and fast.  I read Cisco page said "mode transport" only protect payload, but not for IP header.  I would like to know which mode is the best choice for site to site VPN tunnel

The "mode tunnel" protect entire orginal IP packet.  It seems more secure but is that mean not faster than "mode transport"  Thank you for advise and help.

crypto ipsec transform-set newer esp-des esp-sha-hmac


  mode transport

                  

crypto ipsec transform-set newer esp-des esp-sha-hmac


  mode tunnel

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎09-26-2013 12:52 PM

I do not believe that there is any significant difference between tunnel mode and transport mode in terms of one being more "secure" than the other. They both offer the same options for encryption of the payload and the same ability to protect against spoofed, replay and man in the middle attacks.

There may be a little difference in terms of fast since tunnel mode adds another header that transport mode does not use. So the packet is a bit smaller and there is (slightly) less encryption to perform in transport mode. While I think that there might be a little performance difference I do not believe that the difference is significant.

Which is the best choice may depend a bit on what feature you are using. For example in doing site to site VPN using VTI which has VPN profile it operates only in tunnel mode (even if you configure it to use transport mode the negotiation of the tunnel will wind up with tunnel mode being used).

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎09-26-2013 02:25 PM

To add on what Rick mentioned on his last paragraph: Most of the time you don't have any choice and you only can use tunnel-mode: If you build a pure IPSec-VPN with crypto-maps, you have to use tunnel-mode, VTI (as mentioned) only uses tunnel mode. Remote-access-vpn only uses tunnel mode.

Or the other way round:
You only can use transport-mode if the device that generates the data also protects them and the device that decrypts the data also processes them. So most of the time that is not the case as a client generates the data, a router protects them, another router decrypts them and passes them on to a server which processes the data.

One VPN-style where you can use transport-mode is GRE over IPSec.

The above trafic-flow is the same, but this time the router builds a new (GRE) ip-packet. This can be protected in transport-mode as the router generated the GRE-packet. The IPSec-Peer receives the packet, decrypts it and is the receipient of the GRE-packet. So here transport-mode can be used.

The more typical usage of transport-mode is IPSec for end-to-end encryption where the PCs (for example AD-joined PCs) are forced to use IPSec by policy.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎09-26-2013 12:52 PM

I do not believe that there is any significant difference between tunnel mode and transport mode in terms of one being more "secure" than the other. They both offer the same options for encryption of the payload and the same ability to protect against spoofed, replay and man in the middle attacks.

There may be a little difference in terms of fast since tunnel mode adds another header that transport mode does not use. So the packet is a bit smaller and there is (slightly) less encryption to perform in transport mode. While I think that there might be a little performance difference I do not believe that the difference is significant.

Which is the best choice may depend a bit on what feature you are using. For example in doing site to site VPN using VTI which has VPN profile it operates only in tunnel mode (even if you configure it to use transport mode the negotiation of the tunnel will wind up with tunnel mode being used).

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎09-26-2013 02:25 PM

To add on what Rick mentioned on his last paragraph: Most of the time you don't have any choice and you only can use tunnel-mode: If you build a pure IPSec-VPN with crypto-maps, you have to use tunnel-mode, VTI (as mentioned) only uses tunnel mode. Remote-access-vpn only uses tunnel mode.

Or the other way round:
You only can use transport-mode if the device that generates the data also protects them and the device that decrypts the data also processes them. So most of the time that is not the case as a client generates the data, a router protects them, another router decrypts them and passes them on to a server which processes the data.

One VPN-style where you can use transport-mode is GRE over IPSec.

The above trafic-flow is the same, but this time the router builds a new (GRE) ip-packet. This can be protected in transport-mode as the router generated the GRE-packet. The IPSec-Peer receives the packet, decrypts it and is the receipient of the GRE-packet. So here transport-mode can be used.

The more typical usage of transport-mode is IPSec for end-to-end encryption where the PCs (for example AD-joined PCs) are forced to use IPSec by policy.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card