Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: IPSEC Tunnel vs Transport Mode

From: "Schouten, Diederik (Diederik)" <dschout () lucent com>
Date: Thu, 24 Apr 2003 10:45:39 +0200

This is actually general behaviour and not a Cisco-Ism :)

In transport mode, all that happens is authentication and/or encryption of
the payload of the packet, the original IP header is still used for the
packet routing.
This as you say is mostly used when 2 hosts need to securely talk to each
other without the requirement of a VPN gateway.

As soon as a gateway is used to setup LAN-LAN or Client-LAN "tunnels" the
original packet gets encapsulated and a new IP header will be build with the
information of the 2 endpoints.
Authentication is now done on the new IP header and encryption is done on
the new packet's payload.

All VPN Gateways/VPN Capable Firewalls will use Tunnel mode for site-site
VPN's.


Transport mode:

original packet:   [eth [ip      [tcp/udp [data] ]   ] ]
before encryption: [eth [ip [esp [tcp/udp [data] ] ] ] ]
encrypted:         [eth [ip [esp [xxxxxxxxxxxxxxx] ] ] ]


Tunnel Mode:

original packet:   [eth              [ip-in [tcp/udp [data] ] ]     ]
encapsulated:      [eth [ip-out      [ip-in [tcp/udp [data] ] ]   ] ]
before encryption: [eth [ip-out [esp [ip-in [tcp/udp [data] ] ] ] ] ]
encrypted:         [eth [ip-out [esp [xxxxxxxxxxxxxxxxxxxxxxxx] ] ] ]


As you can see there are 2 IP Headers in the Tunnel mode...
ip-in  (the original header used for host-host communication)
ip-out (the header used for gateway-gateway communication)

Greetings,

        Diederik




-----Original Message-----
From: Robin Atler [mailto:ratler () enter net]
Sent: 23 April 2003 14:51
To: security-basics () securityfocus com
Subject: IPSEC Tunnel vs Transport Mode




I'm setting up a VPN.  I've read some documentation that 
states, rather 
generically, that IPSEC tunnels can run in either tunnel or transport 
mode.  Transport mode simply protects the message contents 
while tunnel 
mode protects the message contents and the original IP 
headers.  I'm using 
Cisco gear which says that transport mode only works when the tunnel 
endpoints are the conversing devices.  This doesn't seem 
quite right to me 
and I don't understand why that would be required.  Can 
anyone explain 
that or is paticular behavior this simply a "cisco-ism"?

--------------------------------------------------------------
-------------
Attend Black Hat Briefings & Training Europe, May 12-15 in 
Amsterdam, the 
world's premier event for IT and network security experts.  
The two-day 
Training features 6 hand-on courses on May 12-13 taught by 
professionals.  
The two-day Briefings on May 14-15 features 24 top speakers 
with no vendor 
sales pitches.  Deadline for the best rates is April 25.  
Register today to 
ensure your place.  

http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: