GET VPN in transport mode

Unanswered Question
Nov 3rd, 2009
User Badges:


I am about to implement GET VPN while read the following from Cisco's website:

IPsec transport mode suffers from fragmentation and reassembly limitations and must not be used in

deployments where encrypted or clear packets might require fragmentation.

I just do not understand why transport mode will suffer fragmentation and reassembly while it had less overhead than tunnel mode.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
petr_lopuhov Tue, 11/03/2009 - 23:52
User Badges:


the reason is lack of additional IP encapsulation header with transport mode. When a cleartext IP packet is fragmented prior to IPSec encapsulation and then fragmented en-route once again, two headers are required to properly maintain double fragmentation.

When using IPsec tranport mode, it is impossible due to just one IP header used. You need to use another tunneling layer inside IPsec - e.g. GRE or IPIP, like DMVPN does - or use IPsec tunnel mode (effectively the same, but native to IPSec).



This Discussion