Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
363
Views
0
Helpful
3
Replies

Can't get Transport Mode to Work

fgleeson
Level 1
Level 1

‎04-09-2008 02:40 AM - edited ‎03-09-2019 08:28 PM

Just messing around in a lab with a few routers. Trying to bring up transport mode first on an IPSEC tunnel. All seems correct, but it constantly comes up in Tunnel Mode. I can't see why?

Can anyone see anything obvious?

Enclosed are configs and a WireShark capture of the output - as you can see it's Tunnel Mode - and not Transport.

The output of "show crypto ipsec sa" demonstrates the fact that its Tunnel mode.

Labels:
Preview file
209 KB
Preview file
5 KB
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎04-09-2008 09:23 AM

Fergus

You have showed us parts of the configuration but not some others. The crypto map uses access list 100 to match traffic. Can you tell us what is in this access list?

In the command reference the information about mode transport says that "This setting is only used when the traffic to be protected has the same IP addresses as the IPSec peers (this traffic can be encapsulated either in tunnel or transport mode). This setting is ignored for all other traffic (all other traffic is encapsulated in tunnel mode)"

My guess is that the traffic being sent through IPSec does not meet this condition. If you are interested here is the link:

http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_i2g.html#wp1072724

HTH

Rick

HTH

Rick
0 Helpful

fgleeson
Level 1
Level 1
In response to Richard Burts

‎04-10-2008 01:28 AM

Thanks for the reply Rick.

The access list is a catch-all :-

access-list 100 permit ip any any

It's a strange one to grasp really.

"traffic to be protected has the same IP addresses as the IPSec peers "

My routers are peers - 192.168.1.1 & 192.168.1.2

If i ping from .1 to .2, or .2 to .1, in my mind this represented "the same IP addresses as the IPSEC peers". Other than the ping, i don't know how i can simulate peer traffic that would come up in transport mode. Do you?

Once the IPSEC link is built, and it's a tunnel link, i don't think it will ever divert away from this and create a separate transport mode link, so all traffic will ride across it.

It's not a big deal i suppose. Router to router connections don't seem to support transport mode.

I know how the packets would look like, which is the most important thing really. The headers are just in different positions.

Thanks again for taking the time to answer Rick.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to fgleeson

‎04-10-2008 09:11 AM

Fergus

The times that I have used transport mode (and it did work well) was when I was configuring IPSec with GRE tunnels. I used transport mode and the tunnels come up in transport mode. And since the GRE tunnel packets use the router interface as their address they do meet the criteria of the same IP addresses as the IPSEC peers.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents