Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC mode

I would like to know which mode "transport" or "tunnel" mode is more secure and fast.  I read Cisco page said "mode transport" only protect payload, but not for IP header.  I would like to know which mode is the best choice for site to site VPN tunnel

The "mode tunnel" protect entire orginal IP packet.  It seems more secure but is that mean not faster than "mode transport"  Thank you for advise and help.

crypto ipsec transform-set newer esp-des esp-sha-hmac

  mode transport

                 

crypto ipsec transform-set newer esp-des esp-sha-hmac

  mode tunnel

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

IPSEC mode

I do not believe that there is any significant difference between tunnel mode and transport mode in terms of one being more "secure" than the other. They both offer the same options for encryption of the payload and the same ability to protect against spoofed, replay and man in the middle attacks.

There may be a little difference in terms of fast since tunnel mode adds another header that transport mode does not use. So the packet is a bit smaller and there is (slightly) less encryption to perform in transport mode. While I think that there might be a little performance difference I do not believe that the difference is significant.

Which is the best choice may depend a bit on what feature you are using. For example in doing site to site VPN using VTI which has VPN profile it operates only in tunnel mode (even if you configure it to use transport mode the negotiation of the tunnel will wind up with tunnel mode being used).

HTH

Rick

VIP Purple

Re: IPSEC mode

To add on what Rick mentioned on his last paragraph: Most of the time you don't have any choice and you only can use tunnel-mode: If you build a pure IPSec-VPN with crypto-maps, you have to use tunnel-mode, VTI (as mentioned) only uses tunnel mode. Remote-access-vpn only uses tunnel mode.

Or the other way round:
You only can use transport-mode if the device that generates the data also protects them and the device that decrypts the data also processes them. So most of the time that is not the case as a client generates the data, a router protects them, another router decrypts them and passes them on to a server which processes the data.

One VPN-style where you can use transport-mode is GRE over IPSec.

The above trafic-flow is the same, but this time the router builds a new (GRE) ip-packet. This can be protected in transport-mode as the router generated the GRE-packet. The IPSec-Peer receives the packet, decrypts it and is the receipient of the GRE-packet. So here transport-mode can be used.

The more typical usage of transport-mode is IPSec for end-to-end encryption where the PCs (for example AD-joined PCs) are forced to use IPSec by policy.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
2 REPLIES
Hall of Fame Super Silver

IPSEC mode

I do not believe that there is any significant difference between tunnel mode and transport mode in terms of one being more "secure" than the other. They both offer the same options for encryption of the payload and the same ability to protect against spoofed, replay and man in the middle attacks.

There may be a little difference in terms of fast since tunnel mode adds another header that transport mode does not use. So the packet is a bit smaller and there is (slightly) less encryption to perform in transport mode. While I think that there might be a little performance difference I do not believe that the difference is significant.

Which is the best choice may depend a bit on what feature you are using. For example in doing site to site VPN using VTI which has VPN profile it operates only in tunnel mode (even if you configure it to use transport mode the negotiation of the tunnel will wind up with tunnel mode being used).

HTH

Rick

VIP Purple

Re: IPSEC mode

To add on what Rick mentioned on his last paragraph: Most of the time you don't have any choice and you only can use tunnel-mode: If you build a pure IPSec-VPN with crypto-maps, you have to use tunnel-mode, VTI (as mentioned) only uses tunnel mode. Remote-access-vpn only uses tunnel mode.

Or the other way round:
You only can use transport-mode if the device that generates the data also protects them and the device that decrypts the data also processes them. So most of the time that is not the case as a client generates the data, a router protects them, another router decrypts them and passes them on to a server which processes the data.

One VPN-style where you can use transport-mode is GRE over IPSec.

The above trafic-flow is the same, but this time the router builds a new (GRE) ip-packet. This can be protected in transport-mode as the router generated the GRE-packet. The IPSec-Peer receives the packet, decrypts it and is the receipient of the GRE-packet. So here transport-mode can be used.

The more typical usage of transport-mode is IPSec for end-to-end encryption where the PCs (for example AD-joined PCs) are forced to use IPSec by policy.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
324
Views
0
Helpful
2
Replies
CreatePlease login to create content