cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1437
Views
0
Helpful
5
Replies

Router to Router IPSec Tunnel using Transport Mode

limlayhin
Level 1
Level 1

Hi All: 

I understand that we should use Tunnel Mode for IPSec tunnel between 2 routers, in its tunnel interface.

Reference: http://www.ciscopress.com/articles/article.asp?p=25477

I am wondering what happen if it is set to Transport mode. Is traffic still get encrypted? 

I have 2 routers set this way and the IPSec tunnel is working. 

Example Config:

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2


crypto isakmp key abcdkey address 110.111.112.113

crypto ipsec transform-set SiteA_SiteB esp-3des esp-md5-hmac
mode transport

crypto ipsec profile SiteA_SiteB
set transform-set SiteA_SiteB


interface Tunnel1001
description Tunnel1 to Site A to Site B
ip address 192.168.1.1 255.255.255.252
ip tcp adjust-mss 1400
tunnel source FastEthernet0/1
tunnel destination 110.111.112.113
tunnel protection ipsec profile SiteA_SiteB

1 Accepted Solution

Accepted Solutions

Hi we use transport mode and were a secure company I can assure you its encrypted as if we sniff our vpn routers setup using this mode we don't see anything in wireshark in terms of packets been seen

http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html

View solution in original post

5 Replies 5

Mark Malone
VIP Alumni
VIP Alumni

Hi

you should use transport mode when using GRE with IPsec between 2 routers , traffic is still encrypted with transport mode

The payload is encapsulated by the IPSec headers and trailers. ... IPSec transport mode is usually used when another tunneling protocol (like GRE) is used to first encapsulate the IP data packet, then IPSec is used to protect the GRE tunnel packets. IPSec protects the GRE tunnel traffic in transport mode

Hi, 

<The payload is encapsulated by the IPSec headers and trailers. ... IPSec transport mode is usually used when another tunneling protocol (like GRE) is used to first encapsulate the IP data packet, then IPSec is used to protect the GRE tunnel packets. IPSec protects the GRE tunnel traffic in transport mode>

This sound great. Do you have any reference on this concept? 

Hi we use transport mode and were a secure company I can assure you its encrypted as if we sniff our vpn routers setup using this mode we don't see anything in wireshark in terms of packets been seen

http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html

Awesome,

Thanks you very much.

Nothing bad will happen if you switch to transport-mode. The router will still use Tunnel-mode as transport mode will not work in this situation. The router is "intelligent" enough to realize that. Still, it would be a misconfiguration IMHO.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: