Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

IPSec in tunnel mode

IPSec works in 2 modes : Transport mode & Tunnel mode. Transport mode only encryptes the data payload but not the IP header but still reveal the true source and destination, right ? While Tunnel mode will encrypt both the data payload and the IP header, right ?

My question is that if I wanted to use IPSec in say, GRE tunneling, so, what will constitutes the new source and destination IP address for the IPSec encrypted packet ? Will they have to be the GRE tunnel source and destination end-points IP address ? Also, how do you tell the encrypted IPSec packet to use these IP address ?

The next question will be, how do you force this IPSec encrypted packet to use the GRE tunnel by routing this packet using the GRE tunnel interface ? Using a static route ? How ?

1 REPLY
Bronze

Re: IPSec in tunnel mode

Hi,

comments inline.

IPSec works in 2 modes : Transport mode & Tunnel mode. Transport mode only encryptes the data payload but not the IP header but still reveal the true source and destination, right ? While Tunnel mode will encrypt both the data payload and the IP header, right ?

>>Transport mode doesn't add an extra IP HDR, tunnel mode adds an extra tunnel HDR.

In transport mode, only data is encrypted (ESP), and original IP HDR remains visible, and in tunnel mode ESP, original IP HDR is not visible, it is encrypted.

My question is that if I wanted to use IPSec in say, GRE tunneling, so, what will constitutes the new source and destination IP address for the IPSec encrypted packet ?

For GRE over IPSec, transport mode is preferred, bcoz an extra IP header is already added (in form of GRE HDR).

Will they have to be the GRE tunnel source and destination end-points IP address ?

>>Yes, your crypto ACL will be based on GRE (host to host).

Also, how do you tell the encrypted IPSec packet to use these IP address ?

>>First GRE encapsulation is applied (for GRE over IPSec), and then GRE packet is encrypted.

The next question will be, how do you force this IPSec encrypted packet to use the GRE tunnel by routing this packet using the GRE tunnel interface ? Using a static route ?

Yeah , you can use static route, or you can use a routing protocol to do that, idea is to route traffic to GRE tunnel, so that they get encapsulated inside GRE HDR.

How ?

http://www.cisco.com/warp/public/707/33.shtml

hope it helps.

Thanks,

Afaq

Cisco TAC

628
Views
0
Helpful
1
Replies
CreatePlease to create content