Security Basics mailing list archives
RE: IPSEC Tunnel vs Transport Mode
From: "Schouten, Diederik (Diederik)" <dschout () lucent com>
Date: Thu, 24 Apr 2003 10:45:39 +0200
This is actually general behaviour and not a Cisco-Ism :) In transport mode, all that happens is authentication and/or encryption of the payload of the packet, the original IP header is still used for the packet routing. This as you say is mostly used when 2 hosts need to securely talk to each other without the requirement of a VPN gateway. As soon as a gateway is used to setup LAN-LAN or Client-LAN "tunnels" the original packet gets encapsulated and a new IP header will be build with the information of the 2 endpoints. Authentication is now done on the new IP header and encryption is done on the new packet's payload. All VPN Gateways/VPN Capable Firewalls will use Tunnel mode for site-site VPN's. Transport mode: original packet: [eth [ip [tcp/udp [data] ] ] ] before encryption: [eth [ip [esp [tcp/udp [data] ] ] ] ] encrypted: [eth [ip [esp [xxxxxxxxxxxxxxx] ] ] ] Tunnel Mode: original packet: [eth [ip-in [tcp/udp [data] ] ] ] encapsulated: [eth [ip-out [ip-in [tcp/udp [data] ] ] ] ] before encryption: [eth [ip-out [esp [ip-in [tcp/udp [data] ] ] ] ] ] encrypted: [eth [ip-out [esp [xxxxxxxxxxxxxxxxxxxxxxxx] ] ] ] As you can see there are 2 IP Headers in the Tunnel mode... ip-in (the original header used for host-host communication) ip-out (the header used for gateway-gateway communication) Greetings, Diederik
-----Original Message----- From: Robin Atler [mailto:ratler () enter net] Sent: 23 April 2003 14:51 To: security-basics () securityfocus com Subject: IPSEC Tunnel vs Transport Mode I'm setting up a VPN. I've read some documentation that states, rather generically, that IPSEC tunnels can run in either tunnel or transport mode. Transport mode simply protects the message contents while tunnel mode protects the message contents and the original IP headers. I'm using Cisco gear which says that transport mode only works when the tunnel endpoints are the conversing devices. This doesn't seem quite right to me and I don't understand why that would be required. Can anyone explain that or is paticular behavior this simply a "cisco-ism"? -------------------------------------------------------------- ------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place.
http://www.securityfocus.com/BlackHat-security-basics ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
Current thread:
- IPSEC Tunnel vs Transport Mode Robin Atler (Apr 23)
- RE: IPSEC Tunnel vs Transport Mode David Gillett (Apr 24)
- <Possible follow-ups>
- RE: IPSEC Tunnel vs Transport Mode Naman Latif (Apr 24)
- RE: IPSEC Tunnel vs Transport Mode Schouten, Diederik (Diederik) (Apr 24)
- Re: IPSEC Tunnel vs Transport Mode Mark Reardon (Apr 24)