Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
532
Views
5
Helpful
5
Replies

tunnel protection works with transport mode only???

Go to solution
yuhuiyao
Level 1
Level 1

‎04-13-2009 06:23 AM

Anyone know why tunnel protection works with transport mode only??? If I change it to tunnel mode, it stops working immediately.

Thanks,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ivan Martinon
Level 7
Level 7
In response to yuhuiyao

‎04-13-2009 07:15 AM

That is because Tunnel mode creates a new IP header which gets modified when is NATed, when the remote peer receives this new header which is NATed the Security numbers do not match to what it had generated. Using trasport mode keeps the original header and only encapsulates the payload.

View solution in original post

5 Replies 5

Go to solution
Ivan Martinon
Level 7
Level 7

‎04-13-2009 07:04 AM

Tunnel protection works with both modes, however transport mode is used when NAT is present along the path, which might be your case.

0 Helpful

Go to solution
yuhuiyao
Level 1
Level 1
In response to Ivan Martinon

‎04-13-2009 07:07 AM

Thanks for your reply. You are correct I have nat firewalls in the path. Do you know why I have to use transport mode in case of nat?

Thanks,

0 Helpful

Go to solution
Ivan Martinon
Level 7
Level 7
In response to yuhuiyao

‎04-13-2009 07:15 AM

That is because Tunnel mode creates a new IP header which gets modified when is NATed, when the remote peer receives this new header which is NATed the Security numbers do not match to what it had generated. Using trasport mode keeps the original header and only encapsulates the payload.

Go to solution
yuhuiyao
Level 1
Level 1
In response to Ivan Martinon

‎04-13-2009 08:40 AM

tried transport mode with tunnel protection on gre interfaces, plus no crypto ipsec nat-transparency udp-encaps, not working with nat is present, any idea?

0 Helpful

Go to solution
Ivan Martinon
Level 7
Level 7
In response to yuhuiyao

‎04-13-2009 08:42 AM

What is the actual error you get? do you complete the tunnel? are you not passing traffic? can you post your configs and debugs?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents