IPsec in transport mode !

Unanswered Question
Jul 27th, 2009
User Badges:

Hi all, i was testing site to site vpn. My diagram is simple. I am testing it on GNS3 to observer traffic via wireshark.


R1 is connected to R2 over Fa0/0. R1 has a loopback 20.0.0.1/8 and R2 loopback 30.0.0.1/8. Traffic needs to be encrypted when 20.0.0.1 sends any ip packet to 30.0.0.1 and vice versa. Configuration is standard of Site to site vpn except this


crypto ipsec transform-set aset esp-des esp-md5-hmac

mode transport


at both ends.


Now the issue is, vpn is forming correctly but when i check the debugs and show crypto ipsec sa, i am still seeing mode to be Tunnel !!. In wireshark i can see that when i send ping like this


R1#ping 30.0.0.1 source 20.0.0.1

!!!!!


I am seeing source and destination IPs to be 10.0.0.1 and 10.0.0.2 respec. Why is this so ? 2 questions arise here


1) Why both ends are negotiating tunnel mode instead of transport mode ?

2) Why i am not seeing the original IP header (which again falls to question 1 above )


I am really confused here ? did i misunderstood transport mode ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Tue, 07/28/2009 - 13:02
User Badges:
  • Cisco Employee,

You are not wrong on how transport mode works, however AFAIK transport mode only works for remote access connections, lan to lan does not support transport mode.

meezanbank Tue, 07/28/2009 - 20:50
User Badges:

Dear Sir, i figured it out !!. If in crypto acls we define only the endpoints IPs then router will negotiate transport mode, if this is not the case then it will always negotiate tunnel mode.


Thanks for the feedback sir :-)

Actions

This Discussion