IPSec Transport Mode

Unanswered Question
Mar 29th, 2008
User Badges:

Quick question:

here is the scenario:

Site-to-site VPN between 2 routers.

Routers separated by public Internet.

RFC 1918 addresses on source and destination networks.


If in transport mode, IPSec does not encrypt the original IP header, but instead leaves it exposed for routing purposes, is it then true that you cant run IPSec transport mode when you have private address on both ends? You cant route private addresses over the public Internet, of course...hence, my question.

In tunnel mode, the original IP packet is totally encapsulated by an IPSec packet and the IPSec tunnel endpoints are the address that are exposed and used for routing the user traffic. So, of course, tunnel mode is perfectly acceptable.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vkapoor5 Mon, 04/07/2008 - 06:06
User Badges:
  • Bronze, 100 points or more

When transport mode is used, IPSec encrypts only the IP payload. Transport mode provides the protection of an IP payload through an AH or ESP header. Typical IP payloads are TCP segments (containing a TCP header and TCP segment data), a UDP message (containing a UDP header and UDP message data), and an ICMP message (containing an ICMP header and ICMP message data).


The routing is intact, since the IP header is neither modified nor encrypted; however, when the authentication header is used, the IP addresses cannot be translated, as this will invalidate the hash value. The transport and application layers are always secured by hash, so they cannot be modified in any way (for example by translating the port numbers). Transport mode is used for host-to-host communications.

Richard Burts Tue, 04/08/2008 - 09:06
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


It would help if we knew a bit more about your environment. Would I be correct in assuming that when you say there are RFC 1918 addresses on the source and destination network that this means the networks on the inside interfaces of the routers? Another question is what is on the outside (Internet facing) interfaces? If there are public addresses on the outside interfaces then there is an opportunity to run IPSec with GRE where IPSec runs in transport mode and the GRE tunnels are terminated on the outside interfaces. In this implementation the addresses that the Internet sees are the outside interface addresses used by GRE and not the RFC 1918 addresses of the original packet.




This Discussion