ā09-04-2010 10:17 AM - edited ā02-21-2020 04:49 PM
We are running DMVPN phase II with IPsec AES 256, Transform-set enabled for Tunnel mode.
sh crypto ipsec sa shows "in use setting" ={Tunnel }"
While capturing with Wireshark, switching to transport mode to compare the differences and to ensure this level is really secure,
run a "clear crypto sa",
ISAKMP reestablishes,
sh crypto ipsec sa indicates transport mode "in use setting" ={Transport, }" as well as resetting encapsulated/decapsulated packet count.
When a packet from tunnel mode is compared to a packet from transport mode, both packets appear pretty much the same.
The only real difference between the two packets is Total Length.
Pinging from both ends is successful.
I thought when running in transport mode, I would be able to see the inner lan ip addresses (tunnel0), hence the purpose of switching to tunnel mode.
Am I missing something?
Thanks
Frank
Config: All passwords, keys and personal settings have been changed in the config below. Everything else remains the same.
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key <key-removed> address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set FFFFFF esp-aes 256
mode transport
!
crypto ipsec profile IPSEC-SECURE
set transform-set FFFFFF
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication <REMOVED>
ip nhrp map multicast dynamic
ip nhrp network-id 2222
ip nhrp holdtime 60
ip ospf message-digest-key 200 md5 OSPF-AUTH
ip ospf network broadcast
ip ospf database-filter all out
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1111
tunnel protection ipsec profile IPSEC-SECURE
ā09-04-2010 11:35 AM
Hi Frank,
All traffic will be encapsulated first with GRE tunnel's source and destination. You will not see difference between transport mode vs tunnel mode. Transport mode actually is recommended mode for DMVPN, because it saves 20 bytes overhead.
The only case you have to use tunnel mode is when using dual tier DMVPN, MGRE and encryption are on different routers.
HTH,
Lei Tian
ā09-04-2010 05:07 PM
Just to add...
The reason is recommended to use transport mode when using GRE/IPsec or DMVPN is because the encapsulation is done by GRE and only the encryption is done by IPsec.
If on the other hand you use tunnel mode, it means that besides doing the GRE encapsulation, IPsec will also encapsulates the packet and that will create more overhead than necessary.
Federico.
ā09-07-2010 10:05 AM
Are you saying that if I was just running a Point-to-Point VPN with IPsec enabled, transport mode would show the inner IP addresses of the virtual tunnel interface while tunnel mode would hide the virtual tunnel ip addresses.
BUT, since I am running DMVPN over mGRE inside IPsec, the mode (tunnel or transport) is really mute because mGRE has already protected the virtual tunnel interface IP addresses?
Thanks
Frank
ā09-07-2010 10:14 AM
Hi Frank,
That is correct. Transport mode will only encrypt the data payload and use the original IP header; tunnel mode will encrypt the whole IP packet (header + payload) and use a new IP header.
When using DMVPN, all traffic pass through the tunnel interface will be encapsulate first with GRE source and destination, and same ip address will be used for ipsec peers. Therefor, there is no difference of using transport vs tunnel mode.
HTH,
Lei Tian
ā09-07-2010 10:22 AM
Yes and just to add again :-)
Transport mode works because both the GRE and IPsec addresses are the same ones (DMVPN)
If for instance, you have:
Router --- ASA --- Internet --- ASA --- Router
And you have a GRE tunnel between routers being protected by an IPsec tunnel between the ASAs (then transport mode won't work).
Just a note (not important to your question).
Federico.
ā09-07-2010 10:31 AM
Hi Federico,
That's exactly what I said in the initial post. See
'The only case you have to use tunnel mode is when using dual tier DMVPN, MGRE and encryption are on different routers.'
But that is good, we agreed on the same thing.
Regards,
Lei Tian
ā04-27-2017 08:33 AM
Hi Lei,
Transport mode would be preferred as it would not hide the ip headers and even if it did it will replace the same at the other end of the tunnel, as you are stating that peer ip's will be the same as well. Also using the tunnel mode in this case will be like encrypting the ip header and then replacing it with the same ip header at the other end of the tunnel.
Is that correct ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide