cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1297
Views
0
Helpful
2
Replies

IPSec Transport Mode

MW20082008
Level 1
Level 1

Quick question:

here is the scenario:

Site-to-site VPN between 2 routers.

Routers separated by public Internet.

RFC 1918 addresses on source and destination networks.

Question:

If in transport mode, IPSec does not encrypt the original IP header, but instead leaves it exposed for routing purposes, is it then true that you cant run IPSec transport mode when you have private address on both ends? You cant route private addresses over the public Internet, of course...hence, my question.

In tunnel mode, the original IP packet is totally encapsulated by an IPSec packet and the IPSec tunnel endpoints are the address that are exposed and used for routing the user traffic. So, of course, tunnel mode is perfectly acceptable.

2 Replies 2

vkapoor5
Level 5
Level 5

When transport mode is used, IPSec encrypts only the IP payload. Transport mode provides the protection of an IP payload through an AH or ESP header. Typical IP payloads are TCP segments (containing a TCP header and TCP segment data), a UDP message (containing a UDP header and UDP message data), and an ICMP message (containing an ICMP header and ICMP message data).

http://technet2.microsoft.com/windowsserver/en/library/c3a956bf-704b-4980-9655-762985e380f61033.mspx?mfr=true

The routing is intact, since the IP header is neither modified nor encrypted; however, when the authentication header is used, the IP addresses cannot be translated, as this will invalidate the hash value. The transport and application layers are always secured by hash, so they cannot be modified in any way (for example by translating the port numbers). Transport mode is used for host-to-host communications.

Melvin

It would help if we knew a bit more about your environment. Would I be correct in assuming that when you say there are RFC 1918 addresses on the source and destination network that this means the networks on the inside interfaces of the routers? Another question is what is on the outside (Internet facing) interfaces? If there are public addresses on the outside interfaces then there is an opportunity to run IPSec with GRE where IPSec runs in transport mode and the GRE tunnels are terminated on the outside interfaces. In this implementation the addresses that the Internet sees are the outside interface addresses used by GRE and not the RFC 1918 addresses of the original packet.

HTH

Rick

HTH

Rick