DMVPN Tunnel versus Transport mode

Unanswered Question
Sep 4th, 2010
User Badges:
  • Bronze, 100 points or more

We are running DMVPN phase II with IPsec AES 256, Transform-set enabled for Tunnel mode.

sh crypto ipsec sa shows "in use setting" ={Tunnel  }"

While capturing with Wireshark, switching to transport mode to compare the differences and to ensure this level is really secure,

run a "clear crypto sa",

ISAKMP reestablishes,

sh crypto ipsec sa indicates transport mode "in use setting" ={Transport,  }" as well as resetting encapsulated/decapsulated packet count.

When a packet from tunnel mode is compared to a packet from transport mode, both packets appear pretty much the same.

The only real difference between the two packets is Total Length.

Pinging from both ends is successful.

I thought when running in transport mode, I would be able to see the inner lan ip addresses (tunnel0), hence the purpose of switching to tunnel mode.

Am I missing something?



Config: All passwords, keys and personal settings have been changed in the config below. Everything else remains the same.

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key <key-removed> address
crypto ipsec transform-set FFFFFF esp-aes 256
mode transport
crypto ipsec profile IPSEC-SECURE
set transform-set FFFFFF
interface Tunnel0
ip address
no ip redirects
ip mtu 1400
ip nhrp authentication <REMOVED>
ip nhrp map multicast dynamic
ip nhrp network-id 2222
ip nhrp holdtime 60
ip ospf message-digest-key 200 md5 OSPF-AUTH
ip ospf network broadcast
ip ospf database-filter all out
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1111
tunnel protection ipsec profile IPSEC-SECURE

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Lei Tian Sat, 09/04/2010 - 11:35
User Badges:
  • Cisco Employee,

Hi Frank,

All traffic will be encapsulated first with GRE tunnel's source and destination. You will not see difference between transport mode vs tunnel mode. Transport mode actually is recommended mode for DMVPN, because it saves 20 bytes overhead.

The only case you have to use tunnel mode is when using dual tier DMVPN, MGRE and encryption are on different routers.


Lei Tian

Federico Coto F... Sat, 09/04/2010 - 17:07
User Badges:
  • Green, 3000 points or more

Just to add...

The reason is recommended to use transport mode when using GRE/IPsec or DMVPN is because the encapsulation is done by GRE and only the encryption is done by IPsec.

If on the other hand you use tunnel mode, it means that besides doing the GRE encapsulation, IPsec will also encapsulates the packet and that will create more overhead than necessary.


fsebera Tue, 09/07/2010 - 10:05
User Badges:
  • Bronze, 100 points or more

Are you saying that if I was just running a Point-to-Point VPN with IPsec enabled, transport mode would show the inner IP addresses of the virtual tunnel interface while tunnel mode would hide the virtual tunnel ip addresses.

BUT, since I am running DMVPN over mGRE inside IPsec, the mode (tunnel or transport) is really mute because mGRE has already protected the virtual tunnel interface IP addresses?



Lei Tian Tue, 09/07/2010 - 10:14
User Badges:
  • Cisco Employee,

Hi Frank,

That is correct. Transport mode will only encrypt the data payload and use the original IP header; tunnel mode will encrypt the whole IP packet (header + payload) and use a new IP header.

When using DMVPN, all traffic pass through the tunnel interface will be encapsulate first with GRE source and destination, and same ip address will be used for ipsec peers. Therefor, there is no difference of using transport vs tunnel mode.


Lei Tian

Federico Coto F... Tue, 09/07/2010 - 10:22
User Badges:
  • Green, 3000 points or more

Yes and just to add again  :-)

Transport mode works because both the GRE and IPsec addresses are the same ones (DMVPN)

If for instance, you have:

Router --- ASA --- Internet --- ASA --- Router

And you have a GRE tunnel between routers being protected by an IPsec tunnel between the ASAs (then transport mode won't work).

Just a note (not important to your question).


Lei Tian Tue, 09/07/2010 - 10:31
User Badges:
  • Cisco Employee,

Hi Federico,

That's exactly what I said in the initial post. See

'The only case you have to use tunnel mode is when using dual tier DMVPN, MGRE and encryption are on different routers.'

But that is good, we agreed on the same thing.


Lei Tian

wasim chandel Thu, 04/27/2017 - 08:33
User Badges:

Hi Lei,

Transport mode would be preferred as it would not hide the ip headers and even if it did it will replace the same at the other end of the tunnel, as you are stating that peer ip's will be the same as well.  Also using the tunnel mode in this case will be like encrypting the ip header and then replacing it with the same ip header at the other end of the tunnel.

Is that correct ?


This Discussion