Why do we have Single Hop between Ipsec Peers?

Answered Question
Apr 2nd, 2008

Why do we have Single Hop between Ipsec Peers?

What is the concept behind this?

Physically the data is transmitted through various routers or hop reaching the destination peer

But while tracing we can see only 1 hop

Why it so?

Regards,

Kesavamurthy Palani

Correct Answer by Jon Marshall about 8 years 10 months ago

Yes, you've got it.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Wed, 04/02/2008 - 03:39

Because it is a tunnel so your traceroute packet is encapsulated within another packet ie.

Host1 -> VPN1 -> R1 -> R2 -> R3 -> VPN2 -> Host2

Host1 traceroutes to Host2.

When the packet reaches VPN1 the original traceroute packet is encapsulated within another packet with a source of VPN1 and a destination of VPN2. The packet is now an IPSEC packet. The original traceroute packet is there but it is not visible for all the R router in the above topology.

Hope this makes sense

Jon

keshavnow Wed, 04/02/2008 - 05:10

Thanks !! Jon

I got it!

Other Question :

--------------------

Still the packets leaving VPN1 after IPsec encapsulation will pass through R1->R2-->R3

here.

So basically if we use tunnel - virtually the data is transmitting with single hop but IPsec Packets will go Physically to all routers-with fragmentation and Reassembly due to MTU of the medium along the path,

But trace doesn't show this - as it is encapsulated inside the IPsec Packet

Am i right?

Regards,

Kesavamurthy Palani

Actions

This Discussion