Why do we have Single Hop between Ipsec Peers?

Answered Question
Apr 2nd, 2008
User Badges:

Why do we have Single Hop between Ipsec Peers?


What is the concept behind this?


Physically the data is transmitted through various routers or hop reaching the destination peer


But while tracing we can see only 1 hop


Why it so?



Regards,


Kesavamurthy Palani

Correct Answer by Jon Marshall about 9 years 2 months ago

Yes, you've got it.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Wed, 04/02/2008 - 03:39
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Because it is a tunnel so your traceroute packet is encapsulated within another packet ie.


Host1 -> VPN1 -> R1 -> R2 -> R3 -> VPN2 -> Host2


Host1 traceroutes to Host2.


When the packet reaches VPN1 the original traceroute packet is encapsulated within another packet with a source of VPN1 and a destination of VPN2. The packet is now an IPSEC packet. The original traceroute packet is there but it is not visible for all the R router in the above topology.


Hope this makes sense


Jon



keshavnow Wed, 04/02/2008 - 05:10
User Badges:

Thanks !! Jon


I got it!


Other Question :

--------------------


Still the packets leaving VPN1 after IPsec encapsulation will pass through R1->R2-->R3

here.


So basically if we use tunnel - virtually the data is transmitting with single hop but IPsec Packets will go Physically to all routers-with fragmentation and Reassembly due to MTU of the medium along the path,


But trace doesn't show this - as it is encapsulated inside the IPsec Packet


Am i right?



Regards,


Kesavamurthy Palani

Correct Answer
Jon Marshall Wed, 04/02/2008 - 05:12
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Yes, you've got it.


Jon

Actions

This Discussion