RFC 1918 addresses on source and destination networks.
If in transport mode, IPSec does not encrypt the original IP header, but instead leaves it exposed for routing purposes, is it then true that you cant run IPSec transport mode when you have private address on both ends? You cant route private addresses over the public Internet, of course...hence, my question.
In tunnel mode, the original IP packet is totally encapsulated by an IPSec packet and the IPSec tunnel endpoints are the address that are exposed and used for routing the user traffic. So, of course, tunnel mode is perfectly acceptable.
When transport mode is used, IPSec encrypts only the IP payload. Transport mode provides the protection of an IP payload through an AH or ESP header. Typical IP payloads are TCP segments (containing a TCP header and TCP segment data), a UDP message (containing a UDP header and UDP message data), and an ICMP message (containing an ICMP header and ICMP message data).
The routing is intact, since the IP header is neither modified nor encrypted; however, when the authentication header is used, the IP addresses cannot be translated, as this will invalidate the hash value. The transport and application layers are always secured by hash, so they cannot be modified in any way (for example by translating the port numbers). Transport mode is used for host-to-host communications.
It would help if we knew a bit more about your environment. Would I be correct in assuming that when you say there are RFC 1918 addresses on the source and destination network that this means the networks on the inside interfaces of the routers? Another question is what is on the outside (Internet facing) interfaces? If there are public addresses on the outside interfaces then there is an opportunity to run IPSec with GRE where IPSec runs in transport mode and the GRE tunnels are terminated on the outside interfaces. In this implementation the addresses that the Internet sees are the outside interface addresses used by GRE and not the RFC 1918 addresses of the original packet.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...