IPsec in transport mode !

Unanswered Question
Jul 27th, 2009
User Badges:

Hi all, i was testing site to site vpn. My diagram is simple. I am testing it on GNS3 to observer traffic via wireshark.

R1 is connected to R2 over Fa0/0. R1 has a loopback and R2 loopback Traffic needs to be encrypted when sends any ip packet to and vice versa. Configuration is standard of Site to site vpn except this

crypto ipsec transform-set aset esp-des esp-md5-hmac

mode transport

at both ends.

Now the issue is, vpn is forming correctly but when i check the debugs and show crypto ipsec sa, i am still seeing mode to be Tunnel !!. In wireshark i can see that when i send ping like this

R1#ping source


I am seeing source and destination IPs to be and respec. Why is this so ? 2 questions arise here

1) Why both ends are negotiating tunnel mode instead of transport mode ?

2) Why i am not seeing the original IP header (which again falls to question 1 above )

I am really confused here ? did i misunderstood transport mode ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Tue, 07/28/2009 - 13:02
User Badges:
  • Cisco Employee,

You are not wrong on how transport mode works, however AFAIK transport mode only works for remote access connections, lan to lan does not support transport mode.

meezanbank Tue, 07/28/2009 - 20:50
User Badges:

Dear Sir, i figured it out !!. If in crypto acls we define only the endpoints IPs then router will negotiate transport mode, if this is not the case then it will always negotiate tunnel mode.

Thanks for the feedback sir :-)


This Discussion