We are running DMVPN phase II with IPsec AES 256, Transform-set enabled for Tunnel mode.
sh crypto ipsec sa shows "in use setting" ={Tunnel }"
While capturing with Wireshark, switching to transport mode to compare the differences and to ensure this level is really secure,
run a "clear crypto sa",
ISAKMP reestablishes,
sh crypto ipsec sa indicates transport mode "in use setting" ={Transport, }" as well as resetting encapsulated/decapsulated packet count.
When a packet from tunnel mode is compared to a packet from transport mode, both packets appear pretty much the same.
The only real difference between the two packets is Total Length.
Pinging from both ends is successful.
I thought when running in transport mode, I would be able to see the inner lan ip addresses (tunnel0), hence the purpose of switching to tunnel mode.
Am I missing something?
Thanks
Frank
Config: All passwords, keys and personal settings have been changed in the config below. Everything else remains the same.
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key <key-removed> address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set FFFFFF esp-aes 256
mode transport
!
crypto ipsec profile IPSEC-SECURE
set transform-set FFFFFF
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication <REMOVED>
ip nhrp map multicast dynamic
ip nhrp network-id 2222
ip nhrp holdtime 60
ip ospf message-digest-key 200 md5 OSPF-AUTH
ip ospf network broadcast
ip ospf database-filter all out
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1111
tunnel protection ipsec profile IPSEC-SECURE
