DMVPN Tunnel versus Transport mode

Unanswered Question
Sep 4th, 2010

We are running DMVPN phase II with IPsec AES 256, Transform-set enabled for Tunnel mode.

sh crypto ipsec sa shows "in use setting" ={Tunnel  }"

While capturing with Wireshark, switching to transport mode to compare the differences and to ensure this level is really secure,

run a "clear crypto sa",

ISAKMP reestablishes,

sh crypto ipsec sa indicates transport mode "in use setting" ={Transport,  }" as well as resetting encapsulated/decapsulated packet count.

When a packet from tunnel mode is compared to a packet from transport mode, both packets appear pretty much the same.

The only real difference between the two packets is Total Length.

Pinging from both ends is successful.

I thought when running in transport mode, I would be able to see the inner lan ip addresses (tunnel0), hence the purpose of switching to tunnel mode.

Am I missing something?

Thanks

Frank

Config: All passwords, keys and personal settings have been changed in the config below. Everything else remains the same.

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key <key-removed> address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set FFFFFF esp-aes 256
mode transport
!
crypto ipsec profile IPSEC-SECURE
set transform-set FFFFFF
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication <REMOVED>
ip nhrp map multicast dynamic
ip nhrp network-id 2222
ip nhrp holdtime 60
ip ospf message-digest-key 200 md5 OSPF-AUTH
ip ospf network broadcast
ip ospf database-filter all out
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1111
tunnel protection ipsec profile IPSEC-SECURE

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Lei Tian Sat, 09/04/2010 - 11:35

Hi Frank,

All traffic will be encapsulated first with GRE tunnel's source and destination. You will not see difference between transport mode vs tunnel mode. Transport mode actually is recommended mode for DMVPN, because it saves 20 bytes overhead.

The only case you have to use tunnel mode is when using dual tier DMVPN, MGRE and encryption are on different routers.

HTH,

Lei Tian

Federico Coto F... Sat, 09/04/2010 - 17:07

Just to add...

The reason is recommended to use transport mode when using GRE/IPsec or DMVPN is because the encapsulation is done by GRE and only the encryption is done by IPsec.

If on the other hand you use tunnel mode, it means that besides doing the GRE encapsulation, IPsec will also encapsulates the packet and that will create more overhead than necessary.


Federico.

fsebera Tue, 09/07/2010 - 10:05

Are you saying that if I was just running a Point-to-Point VPN with IPsec enabled, transport mode would show the inner IP addresses of the virtual tunnel interface while tunnel mode would hide the virtual tunnel ip addresses.

BUT, since I am running DMVPN over mGRE inside IPsec, the mode (tunnel or transport) is really mute because mGRE has already protected the virtual tunnel interface IP addresses?

Thanks

Frank

Lei Tian Tue, 09/07/2010 - 10:14

Hi Frank,

That is correct. Transport mode will only encrypt the data payload and use the original IP header; tunnel mode will encrypt the whole IP packet (header + payload) and use a new IP header.

When using DMVPN, all traffic pass through the tunnel interface will be encapsulate first with GRE source and destination, and same ip address will be used for ipsec peers. Therefor, there is no difference of using transport vs tunnel mode.

HTH,

Lei Tian

Federico Coto F... Tue, 09/07/2010 - 10:22

Yes and just to add again  :-)

Transport mode works because both the GRE and IPsec addresses are the same ones (DMVPN)

If for instance, you have:

Router --- ASA --- Internet --- ASA --- Router

And you have a GRE tunnel between routers being protected by an IPsec tunnel between the ASAs (then transport mode won't work).

Just a note (not important to your question).

Federico.

Lei Tian Tue, 09/07/2010 - 10:31

Hi Federico,

That's exactly what I said in the initial post. See

'The only case you have to use tunnel mode is when using dual tier DMVPN, MGRE and encryption are on different routers.'

But that is good, we agreed on the same thing.

Regards,

Lei Tian

Actions

This Discussion