Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
5
Helpful
1
Replies

GET VPN in transport mode

yuhuiyao
Level 1
Level 1

‎11-03-2009 12:47 PM

All,

I am about to implement GET VPN while read the following from Cisco's website:

IPsec transport mode suffers from fragmentation and reassembly limitations and must not be used in

deployments where encrypted or clear packets might require fragmentation.

I just do not understand why transport mode will suffer fragmentation and reassembly while it had less overhead than tunnel mode.

Labels:
0 Helpful
1 Reply 1

petr_lopuhov
Level 1
Level 1

‎11-03-2009 11:52 PM

Hi,

the reason is lack of additional IP encapsulation header with transport mode. When a cleartext IP packet is fragmented prior to IPSec encapsulation and then fragmented en-route once again, two headers are required to properly maintain double fragmentation.

When using IPsec tranport mode, it is impossible due to just one IP header used. You need to use another tunneling layer inside IPsec - e.g. GRE or IPIP, like DMVPN does - or use IPsec tunnel mode (effectively the same, but native to IPSec).

HTH

Customers Also Viewed These Support Documents