tunnel protection works with transport mode only???

Answered Question
Apr 13th, 2009
User Badges:

Anyone know why tunnel protection works with transport mode only??? If I change it to tunnel mode, it stops working immediately.


Thanks,


Correct Answer by Ivan Martinon about 8 years 1 week ago

That is because Tunnel mode creates a new IP header which gets modified when is NATed, when the remote peer receives this new header which is NATed the Security numbers do not match to what it had generated. Using trasport mode keeps the original header and only encapsulates the payload.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Ivan Martinon Mon, 04/13/2009 - 07:04
User Badges:
  • Cisco Employee,

Tunnel protection works with both modes, however transport mode is used when NAT is present along the path, which might be your case.

yuhuiyao Mon, 04/13/2009 - 07:07
User Badges:

Thanks for your reply. You are correct I have nat firewalls in the path. Do you know why I have to use transport mode in case of nat?


Thanks,

Correct Answer
Ivan Martinon Mon, 04/13/2009 - 07:15
User Badges:
  • Cisco Employee,

That is because Tunnel mode creates a new IP header which gets modified when is NATed, when the remote peer receives this new header which is NATed the Security numbers do not match to what it had generated. Using trasport mode keeps the original header and only encapsulates the payload.

yuhuiyao Mon, 04/13/2009 - 08:40
User Badges:

tried transport mode with tunnel protection on gre interfaces, plus no crypto ipsec nat-transparency udp-encaps, not working with nat is present, any idea?

Ivan Martinon Mon, 04/13/2009 - 08:42
User Badges:
  • Cisco Employee,

What is the actual error you get? do you complete the tunnel? are you not passing traffic? can you post your configs and debugs?

Actions

This Discussion